Audit Quality

Management
Framework for the
Public Sector in Pakistan
(Year 2021)

DEPARTMENT OF THE AUDITOR GENERAL OF PAKISTAN

 Notice to the Reader
This framework should be kept in safe custody and made available only to the intended users of the
framework. Original copy of the framework should be kept with the QAI&M Wing and distribution thereof,
whether in the form of a hard copy or an electronic copy is the responsibility of the QAI&M Wing.
The contents of this framework should not be copied (physically or electronically) or distributed outside
the DAGP either in whole or in part without the prior written approval of AGP.
Contents

Introduction
5 ▪
▪
Historical Developments
Key Definitions
▪ Basis of the AQMF and Overview
of Applicable Standards Related
▪ Quality Management Approach to Audit Quality of SAIs
▪ Purpose and Scope of the Framework ▪ Organization of the Framework

Element 1: Leadership
17 ▪
▪
Leadership Structure
Culture of Quality

Element 2: Ethics
30 ▪
▪
Ethical Requirements
Legal and Regulatory Environment
▪ Staff Development

Element 3: Acceptance and Continuance

38 ▪
▪
Resource Management
Risk Management

Element 4: Human Resource

49 ▪ Recruitment, Staff Development and Performance
Management
▪ Third-Party Resourcing

Element 5: Performance of Audits and Other Work

59 ▪
▪
Audit Planning
Audit Execution
▪ Audit Reporting and Follow-ups

Element 6: Monitoring
88 ▪
▪
Quality Assurance
Communicating Results of Monitoring
▪ Feedback
▪ Independent Reviews

Annexures
101
List of Abbreviations

ADB Asian Development Bank HR Human Resource

AAG Additional Auditor General HRM Human Resource Management

Human Resource Management Information

AGP Auditor General of Pakistan HRMIS
System

AIR Audit Inspection Report IDI INTOSAI Development Initiative

AMIS Audit Management Information System ISQC 1 International Standard on Quality Control

International Organization of Supreme Audit

AO Audit Officer INTOSAI
Institutions

AQMF Audit Quality Management Framework ISA International Standards on Auditing

International Standards of Supreme Audit

CBC Capacity Building Committee ISSAI
Institutions

Criteria, Condition, Cause, Effect,

CCCECR IT Information Technology
Conclusion and Recommendation

CPD Continuing Professional Development KPI Key Performance Indicator

DAC Departmental Accounts Committee MSO Manual of Standing Orders

DAG Deputy Auditor General PAC Public Accounts Committee

Department of the Auditor General of

DAGP PAM Performance Audit Manual
Pakistan

DD Deputy Director PER Performance Evaluation Report

DG Director General PMF Performance Measurement Framework

ECL Exit Control List QAC Quality Assurance Committee

EQCR Engagement Quality Control Reviewer QAI&M Quality Assurance, Inspection & Monitoring

FAM Financial Audit Manual QMF Quality Management Framework

FAO Field Audit Office RAD Risk Area Digest

FAP Foreign Aided Projects SAI Supreme Audit Institution

FPSC Federal Public Service Commission SC Steering Committee

GUID The INTOSAI Guidance TA Technical Assistance

HO Head Office TOR Terms of Reference

3|
Version Control Sheet

Version No. Prepared in Approved in Authorized by

1.0 October 2020 February 2021 DAG QAI&M

4|
 Introduction
1
1.1 Historical Developments
Quality management is always a key concern with the auditing profession. Consistently, in both the
private and public sector, there is a need for developing a structural approach to quality management
in auditing. In the past, the Department of the Auditor General of Pakistan (DAGP), the Supreme Audit
Institution (SAI) of Pakistan, utilized a single primary mechanism for ensuring the quality of audit reports,
namely through a central Quality Assurance Committee (QAC) that played a limited role considering it
comes into play only when the reports have been prepared. Several years’ experience of this
mechanism revealed that quality control checks on audit reports could not prevent repetition of the
same deficiencies in the reports of the subsequent years. This implied that the mechanism did not
contribute towards improving audit processes. Consequently, it was realized that real improvement in
the quality of audit work required something more than testing and correcting only the audit reports.
Professional standards and guidelines are essential for the credibility, quality and professionalism of
public sector auditing; thus, the quality of the end product (i.e. audit report) can only be ensured by
having a framework that ensures conformity to international better practices and procedures at all the
stages of the audit cycle (i.e. audit planning, execution, reporting and follow ups). This framework, with
the objective to transform the audit cycle with a more quality-centric approach, is known as the Audit
Quality Management Framework (AQMF) and is prepared in consonance with international better
practices and relevant standards of INTOSAI (details of applicable standards are explained in Section
1.5 “Basis of the AQMF and Overview of Applicable Standards related to Audit Quality of SAIs” below).
As a member of INTOSAI, the DAGP adopted the Code of Ethics and then developed DAGP standards
followed by various manuals, i.e. Financial Audit Manual (FAM), Performance Audit Manual (PAM),
Audit Manual for Foreign Aided Projects (FAP) and various Sectoral Guidelines, to improve the quality
of audit reports.
In 2011, the DAGP developed the Quality Management Framework (QMF) considering applicable
International Standards of Supreme Audit Institutions (ISSAI) and other guidelines to improve quality of
audit outputs (i.e. audit reports) and contribute towards promoting and strengthening accountability,
transparency, good governance and parliamentary oversight of public spending.
In 2019, the DAGP established a quality management wing, known as “Quality Assurance, Inspection
& Monitoring (QAI&M)” as per circular No.132/AP&SS/158-C/2016 date 19 April 2019. QAI&M Wing is
headed by Deputy Auditor General (DAG) QAI&M, who directly reports to the Auditor General of
Pakistan (AGP). QAI&M Wing is envisioned to absorb the QAC function and also implement the AGP’s
vision for a more quality-centric audit cycle by performing quality assurance procedures, which would
identify deficiencies in the quality control system established in the DAGP. As a result, QAI&M Wing
plays a vital role in assessing and improving the systems of quality control within the DAGP. The
mandate of QAI&M Wing is laid out in Annexure B “QAI&M Mandate”.
In time, it was realized by the DAGP that the QMF developed in 2011 was still only partially
implemented. The QMF 2011 envisages an institution-wide quality management system that improves
the quality of audit work within the DAGP through well-defined mechanisms; however, the DAGP faced
some challenges in effectively implementing the QMF 2011, such as the fact that the QMF was not fully
aligned with the performance benchmarks established under the INTOSAI Development Initiative (IDI)

5|
SAI Performance Management Framework (PMF) 1 and the partial implementation of the QMF’s
requirements within the DAGP. As a result, audit processes and audit reports do not contain the level
of quality that the QMF envisages; hence, the DAGP requested Technical Assistance (TA) from the
Asian Development Bank (ADB) to engage a consultancy firm to assist in this regard. The firm, knowing
that the DAGP adopted the ISSAI and intends to build its staff’s capacity to comply with these standards,
determined through an “As-Is Analysis” that the QMF 2011 is inappropriately aligned with newer audit
quality related standards for SAIs. It was mutually decided among DAGP, ADB and the engaged firm
that the QMF 2011 would be redeveloped in line with ISSAI 140 “Quality Control for SAIs” (refer to
Annexure A “ISSAI 140”). The engaged firm prepared an inception report for the project, known as “TA
for Implementation of AQMF in the DAGP”, detailing all activities that will be performed in order to build
capacity within the DAGP and develop systems and procedures for effective implementation of its QMF,
among which include developing this document to replace the outdated QMF.

1.2 Key Definitions

1. Analytical procedures: Analytical procedures consist of evaluations of financial information
through analysis of plausible relationships among both financial and non-financial data. Analytical
procedures also encompass such investigation as is necessary of identified fluctuations or
relationships that are inconsistent with other relevant information or that differ from expected
values by a significant amount.
2. Assertions: Assertions are representations by management, explicit or otherwise, that are
embodied in the financial statements, as used to consider the different types of potential
misstatements that may occur. The auditor shall use relevant assertions in considering the
different types of potential misstatements that may occur and provide a basis when the auditor
design and perform audit procedures in order to obtain sufficient appropriate audit evidence.
3. Audit evidence: Audit evidence is information used by the auditor in arriving at the conclusions
on which their opinion(s) is / are based. Most of the auditor’s work in forming opinion(s) consists
of obtaining and evaluating audit evidence, which may be obtained internally (from the audited
entity) or externally (from third parties).
4. Audit execution: A phase that follows planning that entails the fieldwork to obtain appropriate,
sufficient audit evidence in order to form the basis of audit opinions, conclusions and
recommendations. Results of the audit are evaluated during this phase.
5. Audit officer (AO): The AO is typically the Field Team Lead, though in some cases it can be the
Director or Deputy Director (DD), and is mainly responsible for the audit execution. AOs are
supported by Assistant AOs, Senior and Junior Auditors for carrying out audits.
6. Audit plan: An audit plan is a record of the planned nature, timing and extent of risk assessment
procedures, further audit procedures at the assertion level in response to the assessed risks, and
other audit procedures.
7. Audit planning: The initial phase of an audit cycle, which involves procedures to establish audit
objectives and scope; understand an audit entity and its operations for risk assessment; assess
materiality, planned precision and audit risk; understand the audit entity’s internal control structure;
determine components; determine audit objectives with error/irregularity conditions; assess risks
and determine a mix of tests of internal control, analytical procedures and substantive tests of
details.
8. Audit programmes: Audit programmes contain audit procedures designed to obtain sufficient and
appropriate audit evidence commensurate with the audit risk determined by the auditor based on
his assessment of the risk of material misstatement performed as part of the audit planning.
9. Audit risk: Audit risk is the risk that the auditor expresses an inappropriate audit opinion when
financial statements are materially misstated. Audit risk is a function of the risk of material

1
www.idi.no/elibrary/well-governed-sais/sai-pmf/426-sai-pmf-2016-english/file

6|
 misstatement (i.e. the risk that the financial statements are materially misstated prior to audit) and
the risk that the auditor will not detect such misstatement (i.e. detection risk).
10. Audited entity: The organization or individuals whose subject matter are audited by auditors of
the DAGP. The audited entity is responsible for the subject matter information, for managing the
subject matter and for addressing recommendations established by the auditors.
11. Engagement Quality Control Reviewer (EQCR): An independent officer (an Audit Officer (AO)
or any other staff as per discretion of the DG of respective FAO) of an FAO, independent from the
audit team, who performs quality control procedures for assigned individual audits.
12. Field Audit Offices (FAOs): FAOs that carry out the work of the DAGP by conducting field audits
of audited entities and their formations.
13. Formations: Units under the administration of the audited entity that shall be audited by field
auditors dispatched from field offices of the DAGP.
14. Head of the SAI: In public-sector auditing, the role of the auditor is fulfilled by the Head of the SAI
and by persons to whom the task of conducting the audits is delegated. The overall responsibility
for public-sector auditing remains as defined by the SAI’s mandate. In the context of the
Government of Pakistan, the Head of the SAI is the AGP.
15. Head Office (HO): The HO of the DAGP consist of various Wings established by the AGP to tackle
particular functions deemed required to enable FAOs to be able to perform their duties effectively.
16. Independence: Independence is a situation where individuals are able to perform activities
without being affected by relationships that can influence and compromise professional judgment,
allowing them to act with integrity and exercise objectivity and professional scepticism.
17. Internal controls: The process designed, implemented and maintained by those charged with
governance, management and other personnel to provide reasonable assurance about the
achievement of the audited entity’s objectives with regard to reliability of financial reporting,
effectiveness and efficiency of operations, and compliance with applicable laws and regulations.
18. Objectivity: Objectivity is the mental attitude where individuals are able to act in an impartial and
unbiased manner, presenting or assessing things on the basis of facts rather than own feelings
and interests, without subordinating judgment to others.
19. Quality: Quality is a property of the product that is designed to be achieved through effective
quality control and quality assurance. Quality itself, in the context of the DAGP, is the certification,
with reasonable assurance, that the audit reports issued are appropriate under the circumstances,
and that those responsible for preparing the audit reports comply with professional standards and
applicable legal and regulatory requirements.
20. Quality assurance: Quality assurance is the identification of errors and defects after the audit
product passes through the quality control system. Quality assurance is further defined, in the
context of the DAGP, at the end of Section 1.3 below.
21. Quality Assurance Committee (QAC): QAC are committees responsible for the final quality
assurance review of the audit report.
22. Quality assurance implication: Quality assurance implications state any required action or
impact to the quality assurance system at QAI&M Wing as a result of aligning DAGP processes,
policies or procedures with applicable international standards with regard to quality assurance
procedures.
23. Quality control: Quality control is the prevention of errors and assuring compliance with
professional standards through control systems in place. Quality control is further defined, in the
context of the DAGP, at the end of Section 1.3 below.
24. Quality control implication: Quality control implications state any required action or impact to
the quality control system (either at the FAO or HO level) as a result of aligning DAGP processes,
policies or procedures with applicable international standards.

7|
25. Quality management: Quality management is the overall system in place at the DAGP designed
to ensure quality of the audit report, i.e. the combination of the quality control and quality assurance
system.
26. Reasonable assurance: Reasonable assurance is obtained when the auditor has obtained
sufficient appropriate audit evidence to reduce audit risk to an acceptably low level. It is a high,
but not absolute, level of assurance.
27. SAI: An institution with a purpose of determining whether government spending of public money
is in line with laws & regulations and that it is spent efficiently by ensuring adherence to applicable,
established standards. In the context of the Government of Pakistan, the DAGP is the SAI.
28. Sampling: Audit Sampling involves applying audit procedures to less than 100 percent of items
within a population.
29. Stakeholder: Any individual or entity that shall rely on the audit reports for their awareness or as
a basis for decision making purposes, which includes, but not limited to, the Parliament, Public
Accounts Committee (PAC), the audited entity, legislative or oversight bodies and the general
public.
30. Substantive tests of details: Procedures used by auditors to ensure whether or not the financial
statements and supporting documentation contain errors.

1.3 Quality Management Approach

The process of quality management rests on certain principles. These principles refer to good practices
currently followed around the world and are applicable at all tiers of the institution. In the process of
developing a quality management system for the DAGP, the following principles of quality management
in public service delivery have been considered:
1. Focus on the client – addressing the prime needs of the internal and external stakeholders.
Appropriately incorporating the audited entity’s point of view in the audit report indicates client
focus.
2. Leadership – bonding vision, aims and strategies in the profession.
3. Participatory Management – ensuring effective and equitable participation of all the stakeholders
at various levels of service delivery.
4. Focus on tools – structured procedures, quality assurance mechanisms leading to envisioned
outcomes of the service. The Criteria, Condition, Cause, Effect, Conclusion and Recommendation
(CCCECR) Model for audit reporting is an example of structured approach to auditing.
5. Adopting appropriate decision support systems – encouraging logical and evidence based
decision making for improved accountability of public functionaries.
6. Continuous improvement – recognizing the need to respond to the changing local and global
requirements of the profession. This requires continuous skill management and improvement in
the quality of the workforce.
7. Autonomy – delegating the functions and responsibility to the appropriate tier of management.
8. Sharing benefits – ensuring that the improvement in the practices and procedures, leading to
development, transfer of knowledge and skills, equally benefit the internal and external stake
holders including the field workers, institutions, and the society.
9. Continuity and the way forward – ensuring that the institutions and Quality Assurance
Mechanisms are dynamic to accommodate continued improvement and are committed to identify
actions and issues to be addressed in future.
The present AQMF has been developed after reviewing international better practices as reflected in the
INTOSAI standards and guidelines keeping in view the foregoing experience. Annexure A “ISSAI 140”
contains a blueprint of the overall quality management requirements of an SAI. The quality of an end-
product cannot be ensured unless quality control procedures are diligently followed at all stages during

8|
the entire audit phase. Learning from the quality assurance and quality control practices followed at
DAGP, the AQMF is purposed to install an extensive approach, which considers all the dimensions of
audit quality as identified below2:
1. Significance – How important is the matter that was examined in the audit? This, in turn, can be
assessed in several dimensions, such as the financial size of the audited entity and the impact of
the performance of the audited entity on the public at large or on major national policy issues.
2. Auditability – How reliable is the financial information kept in records? This reliability is determined
by the audited entity’s practices, the transparency of its operational reporting, and the forthrightness
of the audited entity’s management in interacting with and providing their auditors with the required
information. If auditability is lacking, audit observations and opinions must reflect this fact
appropriately
3. Reliability – Are the audit findings and conclusions an accurate reflection of actual conditions with
respect to the matter being examined? Are all assertions in the audit report or other product fully
supported by the data gathered in the audit?
4. Objectivity – Was the audit carried out in an impartial and fair manner without favour or prejudice?
The auditor should base his assessment and opinion purely on fact and on sound analysis.
5. Scope and Completeness – Did the audit task plan properly address all elements needed for a
successful audit? Did execution of the audit satisfactorily complete all the needed elements of the
task plan?
6. Timeliness – Were the audit results delivered at an appropriate time? This may involve meeting a
statutory deadline or delivering audit results when they are needed for a policy decision or when
they shall be most useful in correcting management weaknesses.
7. Clarity – Was the audit report clear and concise in presenting the results of the audit? This typically
involves being sure that the scope, findings and any recommendations can be readily understood
by busy executives and parliamentarians who may not be experts in the matters that are addressed
but may need to act in response to the report.
8. Efficiency – Were the resources assigned to the audit reasonable in the light of the significance and
complexity of the audit? Have the resources performed their audit work in a timely manner?
9. Effectiveness – Did the audit report results in improving public financial management of the audited
area? Effectiveness of audit is judged in terms of results and impacts achieved. The results and
impacts like recoveries made on the findings of audit, any improvement in internal controls,
accountability of public officials entrusted with use of public resources, changes in systems,
procedures and laws provide clear indication of the effectiveness of audit. The findings, conclusions
and recommendations in the audit report should help the audited entity, the government and / or
parliament in improving government operations and policy making.
The challenge of encompassing aforementioned quality dimensions calls for a shift from the quality
assurance of the end product to quality management of the entire audit cycle.
Definitions of Quality Management Components: Most INTOSAI standards (ISSAI) use the term
“quality control” when describing an audit quality management framework. The term “quality assurance”
is rarely used. For example, ISSAI 140 uses the term “quality control” when referring to the policies and
procedures in place to ensure quality while the audit is being conducted, and the processes in place to
assess the quality of audits after they have been completed.
INTOSAI’s performance auditing standards differentiate between quality control and quality assurance.
According to GUID 3910 (Central Concepts for Performance Auditing), quality control relates to the
policies and procedures in place to ensure quality while the audit is being conducted, and quality

2
Adapted from EUROSAI’s “Guidelines on Audit Quality”: www.eurosai.org/en/databases/products/Guidelines-on-Audit-Quality

9|
assurance relates to the processes in place to assess the quality of audits after they have been
completed. The AQMF follows the above differentiation and defines the two concepts as follows:

Quality Control According to GUID 3910, a quality control system includes policies and
procedures designed to provide the SAI with reasonable assurance that it, and its
personnel, comply with professional standards and applicable legal and regulatory
requirements. The objective is to ensure that audits are conducted at a
consistently high level. Quality control procedures cover matters such as direction,
supervision and review of the audit process and the need for consultation in order
to reach decisions on difficult or contentious matters.
In the context of the DAGP, the quality control system is the responsibility of the
entire organization. FAOs shall be responsible for incorporating and utilizing
quality control in their management as well as for the entirety of audit cycles for
their audits, from planning, execution to reporting and follow-up. Quality control is
the process through which the DAGP is able to ensure that all phases of an audit
process are carried out in accordance with applicable standards, rules, practices,
and procedures.
The HO of the DAGP is responsible for the strategic and institutional aspects of
quality control that assist the FAOs in achieving effective quality control at the
operational level. Various HO Wings are employed in the DAGP to target such
aspects, such as the HR and Audit Policy Wing.
Quality According to GUID 3910, a quality assurance process allows audits to be
Assurance independently assessed after their completion on a consistent basis against
specific criteria. The main purpose of quality assurance is to monitor the SAI’s
quality control system as designed and assess if the appropriate controls are in
place and are working appropriately. To perform this assessment of the quality
control system, a criteria-based questioning must be undertaken that should be
developed according to the particular circumstances of the SAI.
In the context of the DAGP, quality assurance is the responsibility of QAI&M Wing.
This dedicated wing was established for the monitoring and implementation of
systems of quality control within the DAGP. Refer to Annexure B “QAI&M
Mandate” for the stipulated functions of QAI&M Wing. For further details regarding
the role of QAI&M Wing related to quality assurance mechanisms, refer to
Sections 4-9, Element 6 “Monitoring”.

1.4 Purpose and scope of the AQMF

The DAGP should work towards providing consistently high quality audit products and services that
meet stakeholder expectations in the most efficient and cost effective way. This must be achieved while
maintaining a high degree of integrity, accountability, and competence. Quality must be embedded in
all areas of the DAGP’s activities. All these factors lead to the need for the DAGP to implement robust
quality control systems.
The main purpose of the AQMF is to emphasise the importance of quality control in the effective delivery
of the DAGP’s mandate. It has been produced to help achieve the AGP’s vision of a more quality-centric
approach in the performance of audits. The AQMF is designed to separate quality control and quality
assurance, differentiating the role of QAI&M Wing and FAOs, with QAI&M Wing primarily responsible
for quality assurance, the various FAOs responsible for quality control at the operational level and
various HO Wings responsible for quality control at the central level.
The AQMF applies to the entire audit cycle of all audit assignments conducted by the DAGP in context
of audit quality. The audit cycle starts from audit planning, execution, reporting and follow-up phases.
To enhance the quality of the audit cycle, various templates related to quality control were produced in
the AQMF. To serve as a check on the quality control system, various quality assurance templates were
also provided in the AQMF to instil quality assurance procedures.

10 |
The AQMF addresses quality management requirements by making efficient use of already existing
aids for implementing robust quality control and quality assurance measures. These aids comprise of:
1. Quality control measures for each phase of the audit cycle as embedded in the manuals and
Sectoral Guidelines.
2. Tools for implementing these quality control measures provided in Working Paper Kit of FAM.
3. Quality assurance measures as embedded in the Quality Control & Quality Assurance Chapter
or the audit manuals.
4. Best practices as per INTOSAI standards.

1.5 Basis of the AQMF and Overview of

Applicable Standards related to Audit
Quality of SAIs
The AQMF draws on ISSAI 140, which is an adaptation of the International Standard on Quality Control
1 (ISQC-13), as provided in Annexure A “ISSAI 140”. The ISSAI, issued by INTOSAI, state the
fundamental pre-requisites for the orderly function, professional conduct of SAIs and fundamental
principles in auditing of public entities. The following are the applicable standards that have been
considered to benchmark current quality assurance / control processes against applicable standards.

Standard and Title Description

This ISSAI is to assist SAIs to establish and maintain an appropriate system of

quality control that covers all of their work, and to design an appropriate quality
control system with respect to their mandates which responds to their risks to
quality. Key elements of ISSAI 140 are:
ISSAI 140 - Quality
Control for SAI
 Leadership responsibilities for quality within the SAI
 Relevant Ethical Requirements
 Acceptance and Continuance
 Human Resource
 Performance of audit and other work
 Monitoring
ISQC 1 – International This standard was adapted by INTOSAI to the context of SAIs to form ISSAI 140. It
Standard on Quality is upon the principles and concept contained within ISQC 1 that ISSAI 140 was
Control developed.
ISSAI 130 - Code of This ISSAI assist SAIs to establish a Code of Ethics to provide SAIs, and the staff
Ethics working for them, a set of values and principles on which to base behaviour.
ISSAI 2220 - Quality ISSAI 2220 is practice note for the implementation of ISA 220 which is applicable to
Control for audit of the auditors of public sector entities in their role as auditors of financial statements.
financial statements It also addresses the responsibilities of Engagement Quality Control Reviewer.
ISSAI 2620 is practice note to ISA 620, using the work of an auditor's expert during
ISSAI 2620 - Using the their course of auditing. It deals with the auditor’s responsibilities relating to the work
work of an auditor’s expert of an individual or organization in a field of expertise other than accounting or
auditing, when that work is used to assist the auditor in obtaining sufficient
appropriate audit evidence.
ISSAI 3000 - Performance
Audit standards The standard covers the requirements for auditors during performing Performance
Audits and help them interpret central concepts for performance auditing including
(Section 79) quality control requirements pertaining to performance auditing.

3
www.ifac.org/system/files/downloads/a007-2010-iaasb-handbook-isqc-1.pdf

11 |
GUID 3910 - Guidelines
on Performance Audit GUID 3910 covers the guidelines specific to performance audit. It provides
additional guidance to help auditors comply with the requirements of ISSAI 3000.
(Section 100-108)

ISSAI 4000 - Compliance

Audit standards The standard covers the objectives, principles and general requirements applicable
to the auditors in their role as auditor during the compliance audit.
(Sections 80-88)

INTOSAI P-1 - The Lima This document covers principles relating to the independence of SAIs and how they
Declaration should tie in with the governing legislation.
INTOSAI P-10 - Mexico This document includes eight principles that SAIs generally recognize which flow
Declaration on SAI from the Lima Declaration and decisions made at the XVII th Congress of INTOSAI
Independence (in Seoul, Korea), as essential requirements of proper public sector auditing.
This document sets out principles that are constructed around the fundamental
INTOSAI P-12 - The expectations of SAIs making a difference to the lives of citizens. The extent to which
Value and Benefits of a SAI is able to make a difference to the lives of citizens depends on the SAI:
Supreme Audit Institutions  Strengthening the accountability, transparency and integrity of government
– making a difference to and public sector entities;
the lives of citizens  Demonstrating ongoing relevance to citizens, Parliament and other
stakeholders; and
 Being a model organization through leading by example.
GUID 9030 - Good
Practice on Independence This includes the good practices regarding each of the eight principles mentioned in
of SAI INTOSAI P-10 Mexico Declaration on SAI Independence

Other Standards These ISSAI include principles that assist SAIs to establish and maintain an
appropriate system of quality control while performing various audits. The scope
(ISSAI 100, ISSAI 300,
includes following sections of respective standards: Section 38 of ISSAI 100,
ISSAI 400)
Sections 21 & 22 of ISSAI 300 and Section 44 of ISSAI 400.
EUROSAI’s “Guidelines The aim of these guidelines is to assist SAIs in assuring the quality of their work and
on Audit Quality” the resulting products.
INTOSAI’s CBC HRM This guide helps identify the key activities of a modern Human Resource (HR)
Guide function relevant to SAIs.
IDI Strategic Management The aim of this handbook, prepared on 18 December 2020, is to formulate a single
Handbook for Supreme step by step approach to strategic planning that will enable SAIs to develop
Audit Institutions strategic plans and to claim ownership of them.
The SAI PMF provides SAIs with a framework for voluntary assessments of their
IDI Performance performance against ISSAIs and other established international good practices for
Measurement Framework external public auditing. SAI PMF is a multi-purpose, universal framework, and can
for SAIs be applied in all types of SAIs, regardless of governance structure, mandate,
national context and development level.

1.6 Organization of the AQMF

The AQMF consists of guidance on quality management in the areas of Leadership, Ethics, Acceptance
and Continuance of Audit Work, Human Resource, Performance of Audit & Other Works and
Monitoring. It provides a set of forms, templates, tools and checklists to be used for either quality control
(for FAOs) or quality assurance (for QAI&M Wing) in the Annexures.

1.6.1 Basis for the Preparation of the AQMF

In general, the contents of the AQMF have been assimilated from:

1. INTOSAI – Principles (P)

12 |
 2. INTOSAI – Standards (ISSAI)
3. INTOSAI – Guidance (GUID)
Some other INTOSAI documents have been consulted where relevant and have been incorporated
into Section 1.5 “Basis of the AQMF and Overview of Applicable Standards related to Audit Quality of
SAIs”.

*Standards as per the INTOSAI website: https://www.intosai.org/focus-areas/audit-standards.

13 |
1.6.2 Overview of the AQMF
Areas covered in the AQMF (aligned with applicable standards related
Chapter Listing
to audit quality of SAIs)
 Historical Developments
 Key Definitions
 Quality Management Approach
Introduction
 Purpose and Scope of the AQMF
 Basis of the AQMF and Overview of Applicable Standards Related
to Audit Quality of SAIs
 Organization of the AQMF
Leadership  Leadership Structure
 Culture of Quality
 Ethical Requirements
Ethics
 Legal and Regulatory Environment
 Staff Development
Acceptance and Continuance  Risk Management
 Resource Management
Human Resource  Resourcing and Recruitment
 Capacity Building, Performance Management and Appraisal
Performance of Audit and Other  Audit Planning
Work  Audit Execution
 Audit Reporting and Follow-ups
 Quality Assurance
Monitoring  Reporting
 Feedback
 Independent Reviews

1.6.3 Guidance on how to use the AQMF

To best assist the DAGP in aligning itself with ISSAI 140 and manage a more quality centric approach
in their work, the AQMF has been structured according to the structure of the standard. The following
infographic illustration shall provide an introduction to this structure to assist in reading the document:

Throughout the AQMF, as requirements of applicable international standards are documented,

implications shall arise for either quality control or quality assurance systems of the DAGP. Refer to
Annexure E “Summary of Quality Control / Assurance Implications” for a summary of these implications,
which also states the key instruments employed within the DAGP to address the standard requirement,
if applicable.

14 |
1.6.4 Links to other Relevant Documentation of the Government of Pakistan
The AQMF serves as a guiding framework regarding quality management during an audit, referring to
several other documents of the Government of Pakistan where applicable. These serve as key
instruments employed by the DAGP and their relevance to quality control and quality assurance is
portrayed in Annexure E “Summary of Quality Control / Assurance Implications”. These documents
include the following:

Audit Manuals & Guidelines

 FAM (and its Working Paper Kit)  PAM
 Audit Manual for FAP  DAGP Sectoral Guidelines
Other Documents
 Audit report & audit plan templates  National Assembly Rules of Business
 Project Management Guidelines  Manual of Standing Orders (MSO)
 DAGP Strategic Plan  DAGP HR Strategy
 DAGP Training Plan  DAGP Code of Conduct
 DAGP Code of Ethics (as described in  The Constitution of the Islamic Republic of
manuals) Pakistan
 AGP Ordinance 2011  Performance Evaluation Report (PER)
 Public Procurement Rules  Right of Access to Information Act 2017
 System of Financial Control and Budgeting  Public Financial Management Act 2019
2006

1.6.5 Need for Professional Judgement

Despite the detailed guidance presented in the AQMF, professional judgment is always required. It is
not possible to present guidance material in sufficient detail to eliminate the need for professional
judgment. There are many possible approaches to obtaining the required level of audit quality, each
appropriate in certain circumstances. The auditor must be prepared to consider the circumstances of
each audit and determine the best approach.

15 |
As such, quality control and quality assurance templates provided in the Annexures may be adapted to
consider the context and complexities of a particular FAO and its audited entities.

1.6.6 Changing / Updating the AQMF

The work of the DAGP continues to evolve. Consequently, the AQMF should also be periodically
updated to ensure that it reflects the most current applicable standards that the DAGP follows. As
several ISSAIs are currently under review, it is quite possible that additional better practices / standard
requirements may be made available. QAI&M Wing is therefore encouraged to identify areas in which
the AQMF requires updating or enhancement by monitoring the INTOSAI website for updates regarding
their pronouncements on a regular basis. If any action to update the framework is needed, DAG QAI&M
shall initiate the activity with the approval of the AGP and, upon completion of the activity, shall officially
notify the document to communicate it to all DAGP staff. If DAG QAI&M recommends another Wing of
the HO to update the AQMF for any reason, the AGP shall provide the approval do so and direct the
Wing to commence their work.

16 |
 Element 1:
2
Leadership
An SAI should establish policies and procedures designed to promote an
internal culture recognizing that quality is essential in performing all of its
work. Such policies and procedures should be set by the Head of the SAI,
who retains overall responsibility for the system of quality control. (ISSAI 140
element 1, key principle, page 11)

The DAGP should establish policies and procedures designed to promote an

internal culture recognizing that quality is essential in performing all types of audits.
Such policies and procedures should require the AGP to assume ultimate
responsibility for the DAGP’s system of quality control and quality assurance.

2.1. Index for Implications

As discussed in Section 1.6.3, quality control or quality assurance implications may arise to
impact the quality control or quality assurance systems of the DAGP (a summary of which is
available in Annexure E “Summary of Quality Control / Assurance Implications”); hence, the
index below has been developed to provide guidance regarding where details of the major
implications, relevant to this chapter, may be found. However, to truly understand and apply
ISSAI 140 in the work of the DAGP, it is strongly recommended to read the chapter in order.

ISSAI 140 Implication on DAGP Mechanism Aligning DAGP with Section

ISSAI 140 No.
The AGP should have sufficiently long Legislation established by the Government 3, 4 & 6
terms, clearly defined functions & powers of Pakistan.
and financial autonomy & independence.
The DAGP should establish a “tone at the Communicating an established vision, 10
top” and achieve a culture that recognises mission and core values to all DAGP staff.
the importance of quality.
The DAGP should employ an overarching Authorizing external activities for DAGP’s 17
strategy to achieve quality in all of its work leadership during and after their terms of
in order to ensure its work is independent office.
and objective, free from any political,
economic or other considerations.

17 |
 ISSAI 140 Implication on DAGP Mechanism Aligning DAGP with Section
ISSAI 140 No.
The DAGP should oversee the overall The DAGP Strategic Plan, annual 18
strategic planning process and ensure operational plans and overseeing
that the strategic plan provides a solid implementation of the strategy.
framework for enhancing the
effectiveness of the audit institution as an
accountability mechanism.
The DAGP should use appropriate tools The DAGP’s communication system and 21
to promote effective internal the maintenance of standing orders.
communication and maintain a database
to ensure all standing orders are properly
documented and available to staff for
reference.
The DAGP should ensure that sufficient Periodic staffing assessments at the 24
resources are available to maintain the central level to ensure the HO is
system of quality control and quality sufficiently equipped to support FAOs.
assurance.

18 |
2.2. Leadership Structure
The Head of the SAI may be an individual or a group depending on the mandate and
circumstances of the SAI. (ISSAI 140 element 1 section 1, page 12)

1. The AGP is a constitutional post and leads his organisation, i.e. DAGP, that acts as the
SAI in Pakistan for ensuring public accountability and fiscal transparency in
governmental operations. The AGP is mandated to bring about improvements in the
financial discipline and internal control environment in the executive departments for
minimizing the possibility of waste and fraud.
2. Articles 168 – 171 of the Constitution of Islamic Republic of Pakistan4 (herein referred
as “the Constitution”), along with the AGP Ordinance 2001, governs the appointment,
tenure, function, powers and reporting mechanism of the AGP.
3. The appointment of the AGP should be done through a transparent process that ensures
their independence. The legislation should specify the conditions for appointments,
reappointments and removal of the AGP. As per INTOSAI P-10 Principle 25, “The Head
of the SAI should be given appointments (and re-appointments) with sufficiently long
and fixed terms, to allow them to carry out their mandates without fear of retaliation.”

Quality Control Implications (HO-Level)

As per Article 168 of the Constitution6, which details the appointment, tenure and
removal of the AGP:
• AGP shall be appointed by the President;
• The tenure of the AGP shall be of four years or when they attain the age of 65,
whichever is earlier;
• The other terms and conditions of services of the AGP shall be determined by Act
of Parliament; and, until so determined, by order of the President; and
• The removal of the AGP shall be in the manner and on grounds like that of a Judge
of the Supreme Court.

4. As per INTOSAI P-10 Principle 27, “The Head of the SAI should be immune to any
prosecution for any act (…) that results from the normal discharge of their duties.” The
functions, powers and duties of the AGP should be clearly defined and established in
the legislation.

Quality Control Implications (HO-Level)

Article 169 of the Constitution6 details the functions and powers of the AGP:
The AGP shall perform such functions and exercise such powers as determined by or
under Act of Parliament or by order of the President in relation to:

4
www.na.gov.pk/uploads/documents/1333523681_951.pdf
5
www.intosai.org/fileadmin/downloads/documents/open_access/INT_P_1_u_P_10/INTOSAI-P-10_en.pdf
6
www.na.gov.pk/uploads/documents/1333523681_951.pdf
7
www.intosai.org/fileadmin/downloads/documents/open_access/INT_P_1_u_P_10/INTOSAI-P-10_en.pdf

19 |
 • the accounts of the Federation and of the provinces; and
• the accounts of any authority or body established by the Federation or a province.
Article 170 of the Constitution6 details the powers of the AGP:
• The accounts of the Federation and of the Provinces shall be kept in such a form
and in accordance with such principles and methods as the AGP may, with the
approval of the President, prescribe;
• The audit of the accounts of the Federal and of the Provincial Governments and
the accounts of any authority or body established by, or under the control of, the
Federal or a Provincial Government shall be conducted by the AGP, who shall
determine the extent and nature of such audit.
Accordingly, the AGP Ordinance 20018 has been issued on 17 May 2001 by the Ministry
of Law, Justice, Human Rights and Parliamentary Affairs, which details the power and
functions of the AGP:
As per Section 7 “Auditor-General to certify account” of the AGP Ordinance 20018: “The
Auditor-General shall, on the basis of such audit as he may consider appropriate and
necessary, certify the accounts, compiled and prepared by Controller General of
Accounts or any other person authorized in that behalf, for each financial year, showing
under the respective heads the annual receipts and disbursements for the purpose of
the Federation of each Province and of each district, and shall submit the certified
accounts with such notes, comments or recommendations as he may consider
necessary-to the President or the Governor of a Province or the designated District
Authority, as the case may be”
As per Section 8 “Provisions relating to Audit” of the AGP Ordinance 20019: “The
Auditor-General shall:
• audit all expenditure from the Consolidated Fund of the Federation and of each
Province and to ascertain whether the moneys shown in the accounts as having
been disbursed were legally available for, and applicable to, the service or purpose
to which they have been applied or charged and whether the expenditure conforms
to the authority which governs it;
• audit all transactions of the Federation and of the Provinces relating to Public
Accounts;
• audit all trading, manufacturing, profit and loss accounts and balance sheets and
other subsidiary accounts kept by Order of the President or of the Governor of a
Province in any Federal or Provincial department; and
• audit, subject to the provisions of this Ordinance, the accounts of any authority or
body established by the Federation or a Province, and in each case to report on the
expenditure, transactions nr accounts so audited by him.”

5. The AGP should report the findings derived from the DAGP to the appropriate authority
for them to facilitate corrective actions and consequences.

8
www.agp.gov.pk/SiteImage/Misc/files/AGP-Ordinance-2001.pdf
9
www.agp.gov.pk/SiteImage/Misc/files/AGP-Ordinance-2001.pdf

20 |
 Quality Control Implications (HO-Level)

As per Article 171 of the Constitution10, which details the reporting mechanism of the
AGP, reports approved by the AGP with relation to the federal accounts should be
presented to the President and onwards to the parliament. In case of reports pertaining
to the provincial accounts, the reports should be submitted to the governor of the
province and onwards to the provincial assembly.
The Rules of Procedure and Conduct of Business in the National Assembly 200711 detail
the composition and function of the PAC. The mandate of the PAC is to scrutinize the
accounts of the Government and reports of the AGP.

6. The AGP should have financial independence, autonomy and the means to enable them
to accomplish their tasks. As per INTOSAI P-112, “SAIs shall be entitled to apply directly
for the necessary financial means to the public body deciding on the national budget.”
The standard also states, “SAIs shall be entitled to use the funds allotted to them under
a separate budget heading as they see fit.” As per INTOSAI P-1013, “After the SAI’s
budget has been approved by the legislature, the Executive (Ministry of Finance) should
not control the SAI’s access to these resources.”

Quality Control Implications (HO-Level)

The AGP should have financial autonomy and their budget should not be under any
undue interference from any divisions, ministries or departments within the government.
Article 81 of the Constitution14 states that the budget for the AGP shall be expenditure
charged upon the Federal Consolidated Fund.

7. Should there be any matters that affect the DAGP’s ability to perform their work in
accordance with their mandate and / or legislative framework, the DAGP should report
such matters to the AGP who should take further actions as required.

The Head of the SAI should take overall responsibility for the quality of all work
performed by the SAI. (ISSAI 140 element 1 section 2, page 12)
The Head of the SAI may delegate authority for managing the SAI’s system of quality
control to a person or persons with sufficient and appropriate experience to assume
that role. (ISSAI 140 element 1 section 3, page 12)

8. The overall responsibility of the quality of work lies with the AGP. To execute the
mandate assigned to the AGP and maintain the quality of work performed, the AGP has
systematically delegated authority at various levels. The AGP is assisted by Additional
Auditor Generals (AAG) who oversee the work of Audit and other Wings. FAOs with
clearly delineated audit jurisdiction have been established across the country to perform
the audit activities. These FAOs are organized under Audit Wings and each of the Wings
are headed by DAG who report to the AAG. The DAG is responsible for quality control

10
www.na.gov.pk/uploads/documents/1333523681_951.pdf
11
www.na.gov.pk/uploads/publications/rules_procedure.pdf
12
www.intosai.org/fileadmin/downloads/documents/open_access/INT_P_1_u_P_10/INTOSAI-P-1_en.pdf
13
www.intosai.org/fileadmin/downloads/documents/open_access/INT_P_1_u_P_10/INTOSAI-P-10_en.pdf
14
www.na.gov.pk/uploads/documents/1333523681_951.pdf

21 |
 system for all the work performed under its wing. Each FAO is headed by a Director
General (DG) who is responsible for all work performed under its FAO.
The overall quality management at the DAGP can be divided into two areas:
2.2.1. Quality Control
The DG of an FAO is responsible for the quality control system in their respective office.
2.2.2. Quality Assurance
QAI&M Wing at the DAGP level is responsible for quality assurance. Refer to Sections
4 - 11 Element 6 “Monitoring” for further details of the quality assurance mechanism.
9. When authority needs to be delegated, the DAGP should ensure that the person or
persons assuming authority are of sufficient and appropriate experience; furthermore,
senior management within the DAGP should take initiative and be ready to engage in
ethical issues and look after any related problems in this regard.

22 |
 2.3. Culture of Quality
SAls should strive to achieve a culture that recognises and rewards high quality work
throughout the SAI. To achieve that culture the Head of the SAI should set the right
“tone at the top” which emphasises the importance of quality in all of the work of the
SAI, including work which is contracted out. Such a culture also depends on clear,
consistent and frequent actions from all levels of the SAI’s management that
emphasise the importance of quality. (ISSAI 140 element 1 section 4, page 12)

2.3.1. Vision, Mission, Core Values

10. The DAGP should establish a “tone at the top” through developing the vision, mission
and core values, which should be driving principles of the DAGP when conducting its
work. These principles should emphasise the importance of quality in all of the work of
the DAGP.

Quality Control Implications (HO-Level)

The DAGP has established its vision, mission and core values, and all DAGP staff,
including FAO staff, should comply with them:
“Vision: A model supreme audit institution adding value to national resources.
Mission: Serving the nation by promoting accountability, transparency and good
governance in the management and use of public resources...
Core Values: Core values held by AGP are as follows:
• INTEGRITY: is the Way of Life at DAGP; integrity is ensured by:
i) Conforming to ethical standards and code of conduct.
ii) Compliance of professional standards in our work.
iii) Honesty and objectivity in carrying out our work.
• QUALITY: is the Way of Doing Business at DAGP; it is ensured by:
i) Producing Relevant, Timely and Reliable Reports.
ii) Meeting audit objectives in a Cost-Effective manner.
iii) Applying Quality principles and Quality standards in audit planning, execution and
reporting processes.
iv) Providing quality support for efficient implementation of Government policies.
• PARTNERSHIP: is the Way of Interaction; DAGP officers interact with
beneficiaries, it is promoted through better relationship with stakeholders by:
i) Aligning our goals with the Government's reform agenda.
ii) Understanding our audited entities.
iii) Improving communication with stakeholders.
iv) Working as partners, help audited entities achieve their objectives economically,
efficiently and effectively.”

The AGP and the top management of the DAGP, consisting of AAGs, DAGs and DGs,
set the tone at the top. This ensures that work of the DAGP is of the highest quality and

23 |
 is consistent with the highest professional standards of integrity, independence,
objectivity and excellence in public auditing. The senior management communicates to
all staff at the HO and FAO level the importance of quality management in carrying out
their work. All policies created by the DAGP intended for DAGP staff should have
mention of the vision, mission and core values, enabling staff to be informed of their
contents.

11. To effectively implement the tone at the top, management should set the tone by keeping
the DAGP’s ethical values and ethical conduct of staff and management as a key priority.
This should be done by their direct example, by the standards they demand from others
and by the attention and resources they allocate to the subject. Refer to Sections 9 - 13,
Element 2 “Ethics” for further details regarding the ethical values that should be
employed at the DAGP.
12. The DAGP leaders should participate in ethical events and training organized by the
DAGP, portraying that ethical considerations are a top priority for leadership. Specific
training should also be delivered on the leadership role. Good practice includes ethics
training on the leadership role involving practical exercises (checklists, dilemmas,
concrete experiences, etc.), a specific module on ethics delivered to new leaders and a
specific annual event (conference, workshop…) for leaders on ethical matters.
Other initiatives to promote the “tone at the top” and prioritize ethics in the DAGP include:
• Assigning responsibilities to ethics advisors and establishing ethical committees;
• Issuing messages relating to ethical issues on the relevant knowledge-sharing
platforms (e.g.: intranet) whenever a new dilemma or question arises;
• Establishing measures to reward acknowledged ethical behaviour, for instance
through honorarium,
• Taking firm corrective action when needed on the basis of fair hearings.
2.3.2. Auditing and Professional Standards
13. The DAGP should adopt auditing standards aligned with INTOSAI auditing standards.
AGP should also ensure that their staff are aware of the standards, which govern the
audit. Auditing standards are important because:
• The auditing standards governing the conduct of an audit determines what the
auditor must do.
• The fact that an audit has been conducted in accordance with certain standards
gives necessary reassurance to people making use of the accounts.

Quality Control Implications (FAO-Level)

The manuals in place in the DAGP should contain auditing standards used by the DAGP.
Refer to Section 1, Element 5 “Performance of Audit and Other Works” for the manuals
in place that consist of these auditing standards.

14. The DAGP auditing standards provide the framework for performing high quality audits
with competence, integrity, objectivity and independence. Compliance with these
standards is expected to ensure that a high quality of audit is performed for achieving
the audit objectives. All audits conducted on behalf of the DAGP are required to be

24 |
 conducted as per the auditing standards. Detailed guidelines and practice notes have
been prescribed to implement these standards. These standards should be reviewed on
a regular basis to ensure inclusion of the latest developments in the INTOSAI Standards.
15. To incentivize hard work and excellence, DAGP should have in place a rewarding
mechanism to reward high quality of work performed by its staff. Refer to Sections 9 &
10 and 16 - 20, Element 4 “Human Resource” for further details regarding performance
evaluation.

Quality Assurance Implications (QAI&M)

On the basis of quality assurance reviews from QAI&M Wing through QAC meetings
(Refer to Section 9, Element 6 “Monitoring” for further details), a grade is issued to audit
reports. This grade is indicative of the quality of the audit report. A higher grade should
be issued to reports that are of higher quality, i.e. reports that are free from error and
has had its audit work conducted while in compliance with all applicable standards. A
flexible reward management system should be in place to reward and incentivize high
scoring audit reports.

Quality Control Implications (FAO-Level)

This system would include periodic rewards and rewards at the end of audit activity
strictly based on performance evaluation gauged against carefully devised Key
Performance Indicators (KPIs) (refer to Sections 15 - 20, Element 4 “Human Resource”
for further details).

The strategy of each SAI should recognise an overriding requirement for the SAI to
achieve quality in all of its work so that political, economic or other considerations
do not compromise the quality of work performed. (ISSAI 140 element 1 section 5,
page 12)

2.3.3. Strategic Direction and Planning

16. Strategic Planning is a systematic process through which an organization agrees on and
builds commitment among key stakeholders to priorities that are essential to its mission
and are responsive to environment. Strategic planning guides the acquisition and
allocation of resources to achieve these priorities. While the strategic document is a
long-term document, it should be reviewed annually. The vision and mission should be
translated into short, medium and long-term goals so that achievement against these
goals can be measured.
17. The DAGP should employ an overarching strategy to achieve quality in all of its work in
order to ensure its work is independent and objective, free from any political, economic
or other considerations that may compromise its objective to provide public
accountability in every audit report. As per FAM Section 3 Political Neutrality, “It is
important to maintain both the actual and perceived political neutrality of the Department
of the AGP. Therefore, it is important that auditors maintain their independence from
political influence in order to discharge their audit responsibilities in an impartial way.
This is relevant for auditors since Department of the AGP works closely with the
legislative authorities, which is empowered by law to consider the reports of the AGP.”

25 |
 Good practice indicates that transparency is key where political activities are permitted
to members and staff. It is important to publicly disclose them, so that everyone can
scrutinise the audit work and be alert to any potential or real risk to political neutrality. In
this respect, practices implemented by several SAIs are as follows:
• Public political activities of any kind are often forbidden for SAI Heads
• In some cases, they are also forbidden to senior audit staff
• SAIs usually advise their staff to act with discretion when disclosing their political
views, especially when speaking in public, in letters to the press, in books, articles
or leaflets, or in any other media that are in the public domain.
• Some SAIs have issued policies or rules about the use of social media by their
staff.

Quality Control Implications (HO-Level)

In respect of DAGP leadership, special mechanisms should be established to authorise

their external activities during and after their terms of office. External activities may be
defined as any activities that may not be considered to be related to their duties in the
DAGP. To avoid any kind of conflict of interest, conditions for authorising external
activities should be strict and should be made public. Good practice, in principle,
includes:
• There should be no remuneration or payment of any kind (if remuneration or
payment is allowed by the legislation, the rationale and amount must be displayed
transparently),
• There should be no area or matter that might conflict with their audit
responsibilities or damage the reputation of the SAI,
• There should be no activities that might be detrimental to their ability to carry out
their function, and
• Any authorisations in this connection should be granted by a dedicated panel or
committee.

18. The senior management of the DAGP should oversee the overall strategic planning
process and ensure that the strategic plan provides a solid framework for enhancing the
effectiveness of the audit institution as an accountability mechanism. To facilitate
implementation, the HO-level Wings / FAOs in the DAGP should draw up annual plans
to reflect the requirements of the strategic plan. These plans shall incorporate resource
commitments and specific activities in line with the overall strategy of the DAGP.

Quality Control Implications (HO-Level)

As per recommendations from the IDI Strategic Management Handbook15, the strategic
plan should cover a period of three to five years. The strategic plan should be clearly
communicated to DAGP staff. An implementation matrix should be devised against the

15
www.idi.no/elibrary/well-governed-sais/strategy-performance-measurement-reporting/1139-sai-strategic-management-
handbook-version-1/file

26 |
 goals identified in the strategic plan. Key elements of the implementation matrix should
be, at the minimum, as follows:
• Objectives
• Key activities
• Output indicator
• Timeframe
• Funding source
• Responsibility
• Critical success factor
A particular Wing at the HO-Level, appointed by the AGP, should be responsible for
supervising the implementation of the Strategic Plan. For this purpose, the designated
Wing may assign or delegate responsibilities with the approval of the Competent
Authority.
The DAGP should form a Steering Committee (SC) responsible for overseeing the
implementation of the strategic plan. The SC should be mandated to oversee the overall
strategic planning process. The SC should advise the AGP on the strategic matters and
implementation of the identified strategic goals.
The designated Wing should submit an operational plan annually and submit regular
progress reports on the operational plan at fixed, regular intervals to the SC, which
should ideally be monthly. The IDI Strategic Management Handbook Chapter 9 Page
9615 states the following, “The strategic plan needs to be translated into annual
operational plans that define in concrete terms what the SAI will do to implement the
strategic plan in the given year.” The IDI Strategic Management Handbook15 also
provides the format for annual operational plans in Annexure 9 of the document.
The SC should make recommendations, on the basis of the aforementioned status
reports as well as the operational plan, to the AGP on matters that may need intervention
or improvement.
The elements of the implementation matrix shall form the basis for the monitoring and
evaluating the strategic plan. Refer to Annexure F.2.7 Template for the Implementation
Matrix of the DAGP Strategic Plan for a template of a possible implementation matrix.
The SC should submit its own progress report annually to the AGP. Such reports should
cover the progress achieved and activities undertaken during the year, including
bottlenecks, their causes, implications and recommendations. Audit strategy should be
followed by the Audit Wings in close coordination with the Audit Policy Wing.

19. The strategic plan is prepared for a five-year period but should be reviewed at least
annually. Should timelines not be met according to the implementation matrix or if any
major additional considerations arise, the SC should evaluate whether it is necessary to
revise the strategic plan with the approval of the AGP.
2.3.4. Strategic Audit Planning
20. The strategic audit planning is separate from overall strategic planning. The strategic
planning for audits may be merged into the overall strategic planning of the DAGP. The
objectives of strategic audit planning should include at the minimum:

27 |
 • Providing a sound basis for the DAGP’s management to give strategic direction
for audit coverage;
• Identifying and selecting audits with the aim of improving public sector
accountability and administration;
• Yielding an audit programme that is achievable with available resources;
• Enabling a thorough risk assessment which should form the basis of entity
selection in audit selection;
• Providing a basis for the DAGP’s performance assessment and ensure that the
resources of the DAGP are used in the most efficient and effective manner.

SAls should ensure that quality control policies and procedures are clearly
communicated to SAI personnel and to any parties contracted to carry out work for
the SAI. (ISSAI 140 element 1 section 6, page 12)

21. The DAGP should establish principles for internal communication and monitor their
application. Internal communication should include communicating policies and
procedures to FAOs to enhance and ensure audit quality through circulars and standing
orders. All standing orders should be consolidated and maintained effectively. The
communication system should be electronic in nature and allows all staff to
communicate and share information effectively.
Quality Control Implications (HO-Level)

At the HO level, DAGP Wings should use appropriate tools to promote effective internal
communication of their circulars, such as newsletters / magazines, developing email
addresses for all staff or an intranet.
A Manual of Standing Orders (MSO)16 is maintained at the DAGP level to ensure all
standing orders are properly documented and available for all staff to refer to. The DAGP
should ensure that this mechanism is updated regularly and kept relevant at all times.
To achieve this, there should be an underlying database that records any new standing
orders on a real-time basis.
22. For quality control and quality assurance related policies and procedures, QAI&M Wing
should be responsible for the archival and documentation of quality monitoring and act
as a central office of the organization in this regard. QAI&M Wing communicates its
protocols, procedures and policies related to audit quality within the DAGP through
circulars.
23. The DAGP should inform and consult its staff regularly on key issues related to the
organization and the public audit sector. There should be regular and open interactions
between management and staff, such as through organizational and unit-wide briefings
and regular team meetings.

SAls should ensure that sufficient resources are available to maintain the system of
quality control within the SAI. (ISSAI 140 element 1 section 7, page 12)

16
www.agp.gov.pk/SiteImage/Misc/files/DAGP-MSO-Book-2017(2).pdf

28 |
24. Sufficient resources are necessary to maintain quality control and quality assurance
systems within the DAGP. This means that both QAI&M Wing, the primary hub for quality
assurance activities, and FAOs, the primary caretaker of quality control procedures
impacting audits, should be provided sufficient resources to maintain the quality
management system of the DAGP. For the quality control implications at the FAO level
in this regard, refer to Section 20, Element 3 “Acceptance and Continuance”.
Quality Control Implications (HO-Level)

Periodic, preferably yearly, staffing assessments should be carried out by every Wing at
the HO level to ensure adequate staffing arrangements in order for them to maintain
their quality control system. The results of these assessments should be reviewed and
approved by the AGP, who may create temporary posts if there is a need to arrange
staff immediately; furthermore, the AGP should consider taking actions secure an
expansion of their budget to facilitate converting such posts to permanent positions. As
per INTOSAI P-10 Principle 817, “The SAI has ‘the right of direct appeal’ to the
Legislature if the resources provided are insufficient to allow it to fulfil its mandate.”

17
www.intosai.org/fileadmin/downloads/documents/open_access/INT_P_1_u_P_10/INTOSAI-P-10_en.pdf

29 |
 Element 2:
3
Ethics
An SAI should establish policies and procedures designed to provide it with
reasonable assurance that the SAI, including all personnel and any parties
contracted to carry out work for the SAI, comply with relevant ethical
requirements. (ISSAI 140, element 2, key principle, page 13)

The DAGP should establish policies and procedures designed to provide it with
reasonable assurance that the DAGP and its personnel comply with relevant ethical
requirements.

3.1. Index for Implications

As discussed in Section 1.6.3, quality control or quality assurance implications may arise to
impact the quality control or quality assurance systems of the DAGP (a summary of which is
available in Annexure E “Summary of Quality Control / Assurance Implications”); hence, the
index below has been developed to provide guidance regarding where details of the major
implications, relevant to this chapter, may be found. However, to truly understand and apply
ISSAI 140 in the work of the DAGP, it is strongly recommended to read the chapter in order.

ISSAI 140 Implication on DAGP Mechanism Aligning DAGP with Section

ISSAI 140 No.
Contracted out parties should be made Confidentiality agreements to be signed 5
aware of the relevant ethical with third parties to protect the sensitive
requirements. data related to audits.
Code of Ethics should be developed in A review of the standards used by the 6
line with ISSAI 130. DAGP should be conducted on a fixed
basis.
DAGP staff should comply with ethical Details of the Code of Conduct Declaration 14 & 20
requirements. required of DAGP staff.
The DAGP should establish a mechanism Details of ethics hotline and Ethics 16
to enable the identification of significant Committees.
threats to independence.
Rotation of key audit staff is necessary to Details of a Job Roster for Staff Rotation. 21
reduce the risk of familiarity with the
audited entity / formation.

30 |
3.2. Ethical Requirements
SAls should emphasise the importance of meeting relevant ethical requirements in
carrying out their work. (ISSAI 140 element 2 section 1, page 13)
All SAI personnel and any parties contracted to carry out work for the SAI should
demonstrate appropriate ethical behaviour. (ISSAI 140 element 2 section 2, page 13)
The Head of the SAI and senior personnel within the SAI should serve as an example
of appropriate ethical behaviour. (ISSAI 140 element 2 section 3, page 13)
SAIs should ensure that any parties contracted to carry out work for the SAI are
subject to appropriate confidentiality agreements. (ISSAI 140 element 2 section 7,
page 14)

1. The Code of Ethics is a comprehensive document of the values and principles which
should guide the work of auditors in all respects. The nature, independence, powers and
responsibilities of the auditor involved in the public sector place high ethical requirements
on the DAGP and the staff deployed on audit work. The DAGP has developed a Code
of Ethics document in-line with the Lima Declaration of Guidelines on Auditing Precepts
and ISSAI 30, which is part of the FAM and the Audit Manual for FAP currently in place
at the DAGP. Refer to Section 6 of this Element for further details.
2. The AGP, AAGs, DAGs and DGs should provide the vision, inspiration and purpose to
influence the DAGP’s staff to behave in an ethical manner. The tone should be set at the
top by keeping the DAGP’s ethical values and the ethical conduct of staff and
management as a key priority.
3. This Code of Ethics for auditors in the public sector outlines the ethical principles of
auditors, including the latter’s professional obligations. The Code of Ethics covers
requirements at the individual level i.e. the AGP, Executive Officers and all staff working
for or on behalf of the DAGP involved in audit work. It is the responsibility of the AGP to
ensure that all of its staff familiarise themselves with the values and principles contained
in this Code of Ethics and act accordingly.
4. The Code of Ethics envisages appropriate ethical behaviour on the part of the head of
the DAGP and all individuals working for or on behalf of the AGP who are involved in the
audit process. The AGP, AAGs, DAGs and DGs should set an example for appropriate
ethical behaviour.
5. DAGs of their respective Audit Wing should ensure that any third party contracted out to
carry out the work on behalf of the DAGP should be made aware of the relevant ethical
requirements. Such requirements should be made part of the contract and a monitoring
mechanism should be setup to ensure compliance with these requirements.

Quality Control Implications (HO-Level)

The AGP should ensure that a balance exists between confidentiality, transparency and
accountability with respect to all audit related and other information. The DAGP should
have an adequate system in place for maintaining confidentiality especially when work
is contracted out to any third party. The system should include confidentiality agreements
to be signed with third parties to protect the sensitive data related to audits.

31 |
3.3. Legal and Regulatory Environment
The relevant ethical requirements should include any requirements set out in the
legal and regulatory framework governing the operations of the SAI. (ISSAI 140
element 2 section 4, page 13)
Ethical requirements for SAIs may include or draw on the INTOSAI ISSAI 130 - Code
of Ethics and the IFAC ethical requirements, as appropriate to its mandate and
circumstances and to the circumstances of their professional staff. (ISSAI 140
element 2 section 5, page 13)

6. The DAGP’s Code of Ethics document has been developed in line with ISSAI 30 “Code
of Ethics” and the Lima Declaration of Guidelines on Auditing Precepts. For the Code of
Ethics used by the DAGP, refer to FAM Section 3.3 “Code of Ethics” or Audit Manual for
FAP Section 2.5 “Code of Ethics”.
Quality Control Implications (HO-Level)

The Code of Ethics in the DAGP should be reassessed and updated in line with ISSAI
130 “Code of Ethics”18 to ensure compliance with the latest ethical requirements as per
international standards. To ensure no other alignments to applicable standards are
required, a review of the standards used by the DAGP should be conducted on a fixed
basis (preferably annually) by an experienced team.
7. Ethics management should include policies and practices that create conditions to
ensure fair and impartial selection, promotion and remuneration and contribute to social
respect. One of the key approaches to promote ethical behaviour should be to include a
commitment to ethical values and principles as a criterion in all HR policies and
procedures: recruitment, performance appraisal and professional & career development
of all DAGP staff.
8. Being responsible for auditing public money, the expectations with the DAGP are high.
Therefore, it is necessary to earn the trust of all stakeholders, including citizens,
government, audited entities and others. It is essential for the DAGP to act as model and
inspire confidence and credibility. To achieve this, ethical behaviour is one of the key
elements in establishing and sustaining the required reputation and trust, a Code of
Ethics is a linchpin for the functioning of the DAGP.

SAls should ensure policies and procedures are in place in line with ISSAI 130, i.e.:
• integrity;
• independence, objectivity and impartiality;
• professional secrecy; and
• competence. (ISSAI 140 element 2 section 6, page 13)

9. The key elements of DAGP’s ethical requirements include the following principles:

18
www.intosai.org/fileadmin/downloads/documents/open_access/ISSAI_100_to_400/issai_130/ISSAI_130_en.pdf

32 |
 • integrity;
• independence, objectivity and impartiality;
• professional secrecy; and
• competence
3.3.1. Integrity:
10. Integrity is the core value of the DAGP’s Code of Ethics. The DAGP staff have a duty to
follow high standards of honesty and candidness in the course of their work and in their
relationships with the staff of audited entities.
The DAGP staff should take due care in discharging their duties. The authority,
information and resources at their disposal should only be used for the benefit of the
public interest and should not be used to obtain favours or personal benefits for them or
for third parties.
3.3.2. Independence, Objectivity and Impartiality:
11. Independence from the audited entity is vital for the auditors. The DAGP staff should
behave in a way that maintains their independence at the highest standards.
DAGP staff should strive not only to be independent of audited entities, but also to be
objective in carrying out their professional duties, particularly in their reports, which
should be accurate and objective. Conclusions in opinions and reports should, therefore,
be based exclusively on evidence obtained and assembled in accordance with the
auditing standards of the DAGP.
In cases where any staff evaluates that their independence, objectivity and impartiality
is being affected due to any internal or external factor, the same should immediately be
reported to their immediate supervisor (Please refer to Section 3.4 “Protection of the
Auditor” of FAM for detailed steps to be followed in such cases).
3.3.3. Professional Secrecy:
12. The DAGP staff should not disclose information related to the audited entity to any third
parties in any form. Any sharing of information shall be made in accordance with relevant
laws and shall be routed through the DAGP.
3.3.4. Competence:
13. The DAGP staff should be well versed in applicable auditing, accounting, and financial
management standards, policies, procedures and practices. They should also possess
a good understanding of the constitutional and legal principles and applicable laws
governing the operations of the audited entity.

SAls should consider the use of written declarations from personnel to confirm
compliance with the SAI’s ethical requirements. (ISSAI 140 element 2 section 8, page
14)

33 |
14. As per ISSAI 13019, the DAGP should establish a system to ensure that its audit staff
comply with following ethical requirements, including integrity, independence, objectivity,
competence, professional behaviour, confidentiality and transparency.

Quality Control Implications (FAO-Level)

The DG of the respective FAO should ensure that yearly Code of Conduct declarations,
which include the Code of Ethics, should be signed by each audit staff to ensure that
each staff is familiar with the relevant ethical requirements required to be followed during
the discharge of their professional duty. Refer to Annexure F.1.1 “Code of Conduct
Declaration” for the template that should be used.

SAls should ensure policies and procedures are in place to notify the Head of the SAI
in a timely manner of breaches of ethical requirements and enable the Head of the
SAI to take appropriate action to resolve such matters. (ISSAI 140 element 2 section
9, page 14)

15. The AGP should ensure that the internal environment is conducive for staff to raise
ethical breaches and ensure that AGP should respond to integrity breaches in a timely
and adequate manner.
16. The DAGP should establish a mechanism to enable the identification of significant
threats to independence, and the application of controls to mitigate them, as well as
provide guidance and direction for staff in this respect. It should adopt policies to ensure
that audit staff, particularly at the senior level, do not develop relationships to audited
entities that may put their independence or objectivity at risk.

Quality Control Implications (HO-Level)

An anonymous ethics hotline (on-line system and / or phone line) should be established
where ethical breaches can be reported. Hotlines should be anonymous to protect users
from retribution from any retaliation from concerned party or senior officials that may be
implicated in the complaint.
The owner of this function should be the ethics committees formed at the HO-Level
under each DAG (who shall act as chairman) that oversees FAOs in order to ensure
effective monitoring of the ethical practises within the DAGP. These committees should
monitor and deal with any ethical breaches. The access to ethical hotlines shall be
restricted to these committees in order to provide confidence to staff for reporting ethical
breaches. Refer to Annexure D “Terms of References for Ethics Committees” for further
details regarding the function of these committees.

19
www.intosai.org/fileadmin/downloads/documents/open_access/ISSAI_100_to_400/issai_130/ISSAI_130_en.pdf

34 |
3.4. Staff Development
SAIs should ensure appropriate policies and procedures are in place to maintain
independence of the Head of the SAI, all personnel and any parties contracted to
carry out work for the SAI. (ISSAI 140 element 2 section 10, page 14)
SAIs should ensure policies and procedures are in place that reinforce the
importance of rotating key audit personnel, where relevant, to reduce the risk of
familiarity with the organisation being audited. SAls may also consider other
measures to reduce the familiarity risk. (ISSAI 140 element 2 section 11, page 14)

17. The independence of the AGP is ensured by the relevant articles of the Constitution20.
The Constitution20 gives adequate safeguards to the independence of the AGP, including
their appointment, tenure, removal, discharge of powers and reporting.
18. As per Article 81 of the Constitution20, the expenditure of the DAGP is charged
expenditure upon the Federal Consolidated Fund. The AGP should ensure that any
interference in the budget allocation of the DAGP should be reported to the President of
Pakistan to maintain its independence.
19. Policy and Procedures have been developed to ensure independence of the AGP, staff
of the DAGP and any third party contracted out to carry out the work on behalf of the
DAGP.
Section 4.3 “Standards with Ethical Significance” of FAM gives comprehensive
guidelines and procedures to be followed to ensure independence of AGP and all its
staff throughout the audit process. Some key guidelines include:
“4.3.5 The important results of audits of the carrying-out of the budget and of
administration and disputes and disagreements with audited administrations shall be
brought to the attention of the legislative body by way of report or special
communication.”
“4.3.6 Special committees created within the legislative body may be charged with
examining, in the presence of delegates from the audited services and other
representatives, the comments in the reports and special communications of the
Department of the AGP.”
“4.3.8 While the Department of the AGP observes the laws enacted by the legislature,
adequate independence requires that it not otherwise be subject to direction by the
legislature in the programming, planning and conduct of its work in accordance with its
mandate and adopt methodologies appropriate to audits. The Department of the AGP
needs freedom to set priorities and programme the audits to be undertaken.”
“4.3.13 It is important for the independence of the Department of the AGP that there be
no power of direction by the executive in relation to the Department’s performance of its
mandate. The Department shall not be obliged to carry out, modify or refrain from
carrying out, an audit or suppress or modify audit findings, conclusions and
recommendations.

20
www.na.gov.pk/uploads/documents/1333523681_951.pdf

35 |
 “4.3.25 Any personnel of the Department of the AGP having close affiliations with the
management of an audited entity, such as social, kinship or other relationship conducive
to a lessening of objectivity, shall not be assigned to audit that entity.”
20. The DAGP should put in place a mechanism to ensure independence of the audit staff
is maintained. There are two key steps involved:
• Each audit staff should be required to disclose associated persons posted and or
whether it has any personal or financial interest in any audited entities / formations.
• Each audit staff declare that it will conduct the assigned audit in a fair, honest,
timely and competent manner and will not accept any incentive, gifts and
hospitality directly or indirectly from the audited entity

Quality Control Implications (FAO-Level)

A yearly independence confirmation should be signed by all audit staff of each FAO. The
DG of the respective FAO should be responsible for taking written confirmations from
their respective staff involved in the audit process.
For the independence confirmation template, please refer to Annexure F.1.1 “Code of
Conduct Declaration”.

21. Rotation of key audit staff is necessary to reduce the risk of familiarity with the audited
entity / formation. A rotation policy is therefore necessary to avoid auditors auditing the
same area over a too long period of time in order to preserve their independence,
objectivity and impartiality; in addition, rotation also promotes personal development and
contributes towards the motivation of staff. Good practice examples in a rotation policy
include:
• Compulsory mobility for auditors after a period of five, seven or eight years in the
same department
• Compulsory mobility for management posts after a period of seven years
• Encouraging, facilitating and monitoring the effective rotation of staff
• Considering the effective rotation of staff as a positive factor in the annual
appraisal report and in the career development of auditors
• Establishing other safeguards when full rotation is not feasible. This includes, for
instance, the possibility of rotating audit fields, instead of auditors themselves, thus
maintaining successful teams
Rotation policies also present some risks:
• They may jeopardize the necessary audit knowledge and expertise within the team
responsible for the engagement
• They may be impossible to adopt, or they might be ineffective in small FAOs
Alternative measures to preserve the independence, impartiality and objectivity might
involve:

36 |
 • Regular scrutiny of rotation possibilities in order to rotate staff whenever feasible;
e.g. the SAI’s management team could analyse the staff situation every year and
take any rotation decisions that are possible;
• A more flexible composition of the audit teams; e.g. ensuring the replacement of
the most senior member on a regular basis, with one auditor always assigned on
a short-term schedule (one or two years), etc.
• Stronger collegiality, division and review of audit work.

Quality Control Implications (FAO-Level)

DAGP staff should identify possible threats and situations in which their independence
may be impaired, including with regard to familiarity threats. To address these risks, the
DG of respective FAO should implement a rotation policy of DAGP staff at the FAO level,
or equivalent measures if such rotation is not feasible. Should the FAO be deemed
suitable for the rotation of staff, refer to Annexure F.2.3 “Staff Roster for Job Rotation”
for the template of job rotation.

22. The DAGP should ensure adequate policies and procedures are in place to ensure
independence of the third party contracted out to carry out the work on behalf of the
DAGP. The contract signed with the third party should, at the minimum, include:
• Disclosures of associated persons with the audited entities;
• Restricted access to use of information / data obtained during audits;
• A clearly defined reporting line;
• A requirement to sign an undertaking to ensure independence of its members in
carrying out the work; and
• A confidentiality agreement.

37 |
 Element 3:
4
Acceptance and
Continuance
An SAI should establish policies and procedures designed to provide the SAI with
reasonable assurance that it will only carry out audits and other work where the SAI:
a) is competent to perform the work and has the capabilities, including time and
resources, to do so;
b) can comply with relevant ethical requirements; and
c) has considered the integrity of the organisation being audited and has
considered how to treat the risk to quality that arises.
The policies and procedures should reflect the range of work carried out by each
SAI. In many cases SAls have little discretion about the work they carry out. SAIs
carry out work in three broad categories:
• Work that is required of them by their mandate and statute and which they have
no option but to carry out;
• Work that is required by their mandate, but where they have discretion as to
the timing, scope and/or nature of work;
• Work that they can choose to carry out. (ISSAI 140, element 3, key principle,
page 15)

The DAGP should establish policies and procedures for the acceptance and
continuance of client relationships and specific engagements, designed to provide
the DAGP with reasonable assurance that it will only undertake or continue
relationships and engagements where the DAGP:
a) is competent to perform the engagement and has the capabilities, including
time and resources, to do so;
b) can comply with relevant ethical requirements; and
c) has considered the integrity of the Audited Entity and does not have
information that would lead it to conclude that the Audited Entity lacks integrity.

38 |
4.1. Index for Implications
As discussed in Section 1.6.3, quality control or quality assurance implications may arise to
impact the quality control or quality assurance systems of the DAGP (a summary of which is
available in Annexure E “Summary of Quality Control / Assurance Implications”); hence, the
index below has been developed to provide guidance regarding where details of the major
implications, relevant to this chapter, may be found. However, to truly understand and apply
ISSAI 140 in the work of the DAGP, it is strongly recommended to read the chapter in order.

ISSAI 140 Implication on DAGP Mechanism Aligning DAGP with Section

ISSAI 140 No.
The DAGP should manage the risks to Continuous compilation of relevant risks in 3 & 16
quality which arise from carrying out their a risk management document, carefully
work through risk management scoping audit work in the audit plan and
procedures established during the documenting important planning decisions
planning phase. the working papers of the planning file.
The DAGP should classify risks and Communication of Field Audit Instructions 9
communicate the key areas to field and key risk areas identified to field
auditors along with advice and tools to auditors.
assist in determining the means to
address them.
The DAGP should mitigate the risks of Utilization of an independent quality control 17
high-risk audits through in-depth quality reviewer for audits to review the quality of
control reviews. audit work performed.
The DAGP should consider their work Periodic staffing assessments and utilizing 19 & 20
programme and whether they have the temporary staffing measures at the
resources to deliver the range of work to operational level to ensure the FAOs are
the desired level of quality. equipped to perform their duties.

39 |
 4.2. Risk Management
For all audits and other work carried out, SAIs should establish systems to consider
the risks to quality which arise from carrying out the work. These will vary, depending
on the type of work being considered. (ISSAI 140 element 3 section 1, page 16)

1. The auditor shall actively manage audit risk to avoid the development of incorrect or
incomplete audit findings, conclusions, and recommendations, providing unbalanced
information or failing to add value. (ISSAI 3000 Section 5221)
4.2.1. Risk Assessment in Audits
2. Risk assessment is an important tool for audit planning. A risk assessment should be
carried out with reference to the various parameters of the audited entity, programme or
the subject matter. A good risk perception of the programme or entity's performance will
facilitate determining the risk areas, audit objectives and setting the most appropriate
audit criteria. It will also assist in selection of appropriate sampling techniques for the
units to be selected and audited.
3. Actively managing audit risk includes the following:
• Anticipating the possible or known risks of the work envisaged;
• Developing audit approaches to address those audit risks during audit planning
and the selection of methods; and
• Documenting how those risks will be handled.
• Reassessing risk at the end of an audit in order to conclude if sufficient,
appropriate audit evidence has been obtained.

Quality Control Implications (FAO-Level)

The primary means to assess and manage risks are through audit plans formulated
during the audit planning stage. Refer to Sections 5 - 11 Element 5 “Performance of
Audit and Other Work” for further details.
The DAGP should manage the risks to quality which arise from carrying out their work
through risk management procedures established during the planning phase. In
particular, the DG of the respective FAO should ensure that a Risk Area Digest (RAD)
be maintained and updated on an annual basis, incorporating all relevant risk areas of
audited entities that can be gleaned prior to commencing audits of the respective audited
entity in order to shape the level of professional scepticism before auditors perform their
detailed audit procedures. Extracts of this document for a particular audited entity may
be included in their respective permanent file to assist in understanding the entity. Refer
to Annexure F.2.1 “Risk Area Digest” for a template of the RAD.
Risk assessment forms a crucial part of audit planning for each individual audit
engagement as well. Several planning file templates exist, aside from the RAD, in the

21
www.issai.org/wp-content/uploads/2019/08/ISSAI-3000-Performance-Audit-Standard.pdf

40 |
 Working Paper Kit of FAM to assist in this regard. Refer to Section 2, Element 5
“Performance of Audit and Other Works” for further details.
At the start of the planning phase of an audit, instructions should be issued to audit
teams prior to the commencement of audits. These instructions should include
information and advice related to dealing with identified risk areas of particular audited
entities. Refer to Annexure F.2.2 “Template for Field Audit Instructions” for a template
stipulating a basic structure of the instructions to be provided to the audit teams prior to
the commencement of their audits.

4. Actively managing audit risk also includes considering whether:

• the audit team has sufficient and appropriate competence to conduct the audit;
• has adequate access to accurate, reliable and relevant good quality information;
• has considered any new information that is available; and
• has considered alternative perspectives. (ISSAI 3000 Section 5422)

SAIs should assess if a material risk to their independence exists in accordance with
INTOSAI-P 10. (ISSAI 140 element 3 section 3, page 16)
Where such a risk is identified, the SAI should determine and document how it plans
to address this risk and ensure an approval process is in place and is adequately
documented. (ISSAI 140 element 3 section 4, page 16)

5. The auditor should comply with the DAGP’s procedures for independence and ethics,
which in turn shall comply with the related ISSAIs on independence and ethics. Refer to
Sections 6 - 14, Element 2 “Ethics” for further details on ethical requirements within the
DAGP.
6. DAGP staff should be free of impairments to independence, whether real or perceived,
that result from political bias, participation in management, self-review, financial or other
personal interest, or relationships with, or undue influence from, others. For this purpose,
DAGP staff shall:
• maintain independence from political influence and be free from political bias;
• not be involved in the audited entity management’s decision-making;
• not audit their own work;
• avoid auditing entities in which they have recently been employed, without
appropriate safeguards;
• avoid circumstances where personal interests could impact decision-making;
• avoid circumstances where relationships with the management or personnel of the
audited entity or other entities could impact decision-making; and
• refuse gifts, gratuities or preferential treatment that could impair independence or
objectivity.

22
www.issai.org/wp-content/uploads/2019/08/ISSAI-3000-Performance-Audit-Standard.pdf

41 |
 Quality Control Implications (FAO-Level)

DG of the respective FAO should ensure that an independence confirmation be signed

by the DAGP staff at the FAO level to confirm that they have read and agree to the
requirements necessary for them to remain independent. Refer to Annexure F.1.1 “Code
of Conduct Declaration” for the template for this independence confirmation.

7. DAGP staff should identify possible threats and situations in which their independence
may be impaired. The DAG of their respective Audit Wing (at the HO level) while the DG
of their respective FAO (at the FAO level) should be the responsible for implementing
independence related controls such as:
• Declarations of interests and conflicts of interest by every staff of DAGP to help
identify and mitigate threats to independence;
• Measures to help senior staff supervise and review work according to professional
criteria designed to exclude outside influences that could impact on DAGP and its
staff’s independence or objectivity;
• Policies and procedures to address threats, such as removing an individual with a
conflict of interest from the audit team, or reviewing any significant judgements
made by that individual while on the team;
• Policies and procedures to identify and address situations where an audit staff
member has recently been an employee of the audited entity or has audited the
same subject matter under a different organisation;
• Policies for periodic rotation of staff or equivalent measures where rotation is not
feasible as stated in ISSAI 130 Section 3923 (refer to Annexure F.2.3 “Staff Roster
for Job Rotation” for a template).

Quality Control Implications (FAO-Level)

As per ISSAI 130 Section 3523, DAGP staff should inform the management about any
pre-existing relevant relationships and situations that may present a threat to
independence or objectivity due to a conflict in interest. Refer to Annexure F.1.1 “Code
of Conduct Declaration” for the template for this independence confirmation.
For addressing familiarity risks, the DG of the respective FAO should implement a
rotation policy of the staff at the FAO level, or equivalent measures if such rotation is not
feasible. Should the FAO be deemed suitable for rotation of staff, refer to Annexure F.2.3
“Staff Roster for Job Rotation” for the template of job rotation.

Where the integrity of the audited organisation is in doubt, the SAI should consider and
address the risks arising from the capability of staff, the level of resources, and any
ethical issues which might arise in the audited organisation. (ISSAI 140 element 3
section 5, page 16)

23
www.intosai.org/fileadmin/downloads/documents/open_access/ISSAI_100_to_400/issai_130/ISSAI_130_en.pdf

42 |
8. As per INTOSAI P-12 Principle 524, “SAIs should ensure that stakeholders’ expectations
and emerging risks are factored into strategic, business and audit plans, as appropriate.”
9. Through risk assessment procedures (such as desk audits at the planning stage),
audited entities should be appropriately classified according to the level of risk.

Quality Control Implications (FAO-Level)

At the start of the planning phase, DG of the respective FAO should ensure that
instructions be issued to audit teams prior to the commencement of audits. These
instructions should include information and advice related to dealing with identified risk
areas of particular audited entities. With the assistance of the RAD document, teams
should be made aware of the risks, through these instructions, regarding the capability
of staff, the level of resources and any ethical issues that may arise.
Refer to Annexure F.2.2 “Template for Field Audit Instructions” for a template stipulating
a basic structure of the instructions to be provided to the audit teams prior to the
commencement of their audits.

10. If a risk emerges and it was not taken into account during risk assessment in the planning
stage of the audit, the appropriate management levels should be informed. On the basis
of the previously undiscovered risk, the DG of the respective FAO should evaluate
whether it would impact the audit plan in a material manner. If so, the audit plan should
be revised, and the DAG of the respective FAO should be informed.

SAls should consider procedures for acceptance and continuance of discretionary

work, including work which is contracted out. If the SAl decides to carry out the work,
the SAl should ensure the decision is approved at the appropriate level within the SAI,
and that the risks involved are assessed and managed. (ISSAI 140 element 3 section
6, page 16)

SAls should consider disclosing in their reports any specific matters that would
ordinarily have led the SAl to not accept the audit or other work. (ISSAI 140 element 3
section 8, page 17)

11. The DAGP should give priority to any audit tasks, which must be undertaken by law, and
assess priorities for discretionary areas within the DAGP's mandate; nevertheless, the
DAGP retains authority on accepting discretionary work.
With regard to discretionary work requested of the AGP, FAM Section 4.3.9 states, “In
cases where the legislature requests the AGP to undertake any audit, the DAGP shall
be free to determine the manner in which it may conducts its work, including those tasks
requested by the legislature”.
12. INTOSAI P-10 (Mexico Declaration on SAI Independence)25 notes one of its principles
as “The freedom to decide the content and timing of audit reports and to publish and
disseminate them”. The DAGP should be independent in deciding the content, timing of
audit and in publishing them. Timelines of the audits should be decided at the time of
the review of audit plans within the DAGP and no external decision making should be

24
www.intosai.org/fileadmin/downloads/documents/open_access/INT_P_11_to_P_99/INTOSAI_P_12/INTOSAI_P_12_en.pdf
25
www.intosai.org/fileadmin/downloads/documents/open_access/INT_P_1_u_P_10/INTOSAI-P-10_en.pdf

43 |
 included in this. FAM Section 7.11.1 “Sample Selection” states, "With direction from
DAGP, auditors have the freedom to extend the scope of their audit to extend audit
coverage to as many sub-entities as deemed appropriate, and the coverage within each
sub-entity, even 100% sampling, is also discretionary."
13. In planning an audit for discretionary work, the auditor should:
• Identify the objective of the task assigned to the DAGP;
• Identify important aspects of the environment in which the audited entity operates;
• Develop an understanding of the accountability relationships;
• Consider the form, content and users of audit opinions, conclusions or reports;
• Formulate Terms of References (TORs) for the engagement, specifying the audit
objectives and the tests necessary to meet them;
• Identify key management systems and controls and carry out a preliminary
assessment to identify both their strengths and weaknesses;
• Determine the materiality of matters;
• Determine the most efficient and effective audit approach; and
• Provide for appropriate documentation of the audit plan and for the proposed
fieldwork. The DAGP may revise the plan during the audit when necessary.
The planning for the audit should be reviewed and approved by the DG of the FAO and
their respective DAG.
14. For work of a specialized nature, relevant SOPs and guidelines should be used for the
planning and execution stage of the work. Staff utilized should be equipped with the
necessary knowledge and expertise of the work.

SAls should ensure that their risk management procedures are adequate to mitigate
the risks of carrying out the work. The response to the risks may include:
- carefully scoping the work to be performed;
- assigning more senior/experienced staff than would ordinarily be the case; and
- doing a more in depth engagement quality control review of the work before a report
is issued. (ISSAI 140 element 3 section 7, page 16)

15. The DAGP should ensure that it has adequate risk management procedures in place
that are sufficient and appropriate to mitigate the risks of carrying out the work. Risk
assessment is an important tool in the risk management process. The DAGP should
carry out risk assessment with reference to the various parameters of the entity,
programme or the subject after a careful study of all relevant documents. A good risk
perception of the programme or entity's performance will facilitate determining the audit
thrust areas, audit objectives and setting the most appropriate audit criteria. It will also
assist in selection of more senior staff for risky areas.
16. The audit plan should, at the minimum, include:
• A clear statement of the audit objectives;

44 |
 • Statement of the magnitude of operations (expenditures, revenues, assets,
personnel), the significant line items and accounts in the financial statements and
significant financial statement assertions;
• Summary of significant issues and results of an initial risk assessment; and
• Proposed audit scope, including types of audit activity, locations to be visited,
functions, activities, systems and procedures to be examined, aspects of
performance to be covered, audit methods and tests; and samples selected or
methods of selecting samples.
Refer to Sections 5 - 11, Element 5 “Performance of Audit and Other Work” for further
details regarding audit plans as part of the audit planning phase.
17. For audits that are of particular high risk, especially those of discretionary work, a more
in-depth engagement quality control review of the audit work should be performed than
usual.

Quality Control Implications (FAO-Level)

A key component of quality control is the EQCR. An EQCR should be an AO (or this role
assigned to any other staff as per discretion of the DG of respective FAO), independent
from the audit team, who conducts an objective evaluation of significant matters,
including risks identified and significant judgments made by the audit team, and the
team’s conclusions reached in formulating the audit report. For high risk audits, prior to
the submission of the audit report for internal as well as external QAC, the audit work
performed should be reviewed in detail. The EQCR should have no involvement in the
work of the audit team. For audits of a specialized nature, the EQCR should have the
necessary knowledge and expertise in order to assess the quality of the work performed
appropriately.
If delays are experienced in carrying out Departmental Accounts Committee (DAC)
meetings, the report should not delay its timelines and continue its track towards review
and finalization prior to final sign off by AGP; thus, an EQCR should be appointed for an
internal independent review once it is deemed suitable and not on the basis of DAC
meetings.

45 |
4.3. Resource Management
SAIs normally operate with limited resources. SAIs should consider their work
programme and whether they have the resources to deliver the range of work to the
desired level of quality. To achieve this, SAIs should have a system to prioritise their
work in a way that takes into account the need to maintain quality. If resources are not
sufficient and pose a risk to quality, the SAI should have procedures to ensure that the
lack of resource is brought to the attention of the Head of the SAI and, where
appropriate, the legislature or budgetary authority. (ISSAI 140 element 3 section 2, page
16)

18. To consider whether the DAGP has adequate resources to deliver the range of work to
the desired level of quality, an effective planning phase should be ensured. An effective
audit plan considers that formations are selected on the basis of risk, prioritizes
formations to the DAGP’s mandate and current focus, considers significance of risk
factors and auditability.

Quality Control Implications (FAO-Level)

FAOs should ensure that they utilize audit plan templates for the particular type of audit
they are engaging in and that they are up to date. For guidance on the formulation of
audit plans, the auditor should consult the relevant audit manual for their nature of work.
Refer to Section 1 Element 5 “Performance of Audit and Other Work” for further
information regarding the policies and tools in place for the auditor to utilize.

19. The knowledge, abilities, availability and skills of auditors are significant elements in
completion of efficient and relevant audit assignments. Equally important is the proper
development and training of the audit workforce to enable them to maximize their talents
and potentials. The audit teams should have collective knowledge of their subject matter
and auditing proficiency necessary to fulfil the requirements of the audit. Resources
required to undertake each audit need to be assessed so that suitably skilled staff may
be assigned to the work.

Quality Control Implications (FAO-Level)

It should be the prime responsibility of the DG of the respective FAO to ensure the
effective allocation of resources to different audits undertaken by the FAO. Periodic,
preferably yearly, staffing assessments should be carried out to ensure adequate
staffing arrangements to execute and maintain quality of audit work. Through these
assessments, staffing needs to fulfil an FAO’s objectives will be able to be identified.
As the DG of the FAO needs to understand the level of resources necessary at a
particular audited entity, they should have a clear understanding of the audited entity.
To achieve this purpose, a rigorous planning process is necessary that takes into
account the needs of each audited entity and the resources available to the FAO. Refer
to Sections 1 - 11 Element 5 “Performance of Audit and Other Work” for further details
regarding the planning process necessary for this purpose.

46 |
20. The AGP should have the powers to maintain their independence in resource
management. Upon the basis of information determined through staffing assessments,
the AGP should have full powers for the creation of temporary posts. For subsequent
years, the AGP should be able to convert temporary posts to permanent positions,
expanding their budget, by submitting their request to the President of Pakistan.

Quality Control Implications (HO-Level)

The Finance Division, through their letter No.F.3(15)Exp-III/2002/110 dated 28 February

2003, has delegated the AGP powers to maintain its independence in resource
management. Upon the basis of information determined through staffing assessments,
the AGP has full powers for the creation of temporary posts up to BS-19 during a
financial year provided that expenditure is met from within the allocated budget of AGP.
The budget allocation of these posts would be reviewed at the time of preparation of the
next budget.
The AGP also has full powers to create posts of officers on special duty for the
following reasons:
• Government Servants waiting for posting orders.
• For doing work of a special nature i.e. examination and / or implementation of
report of commission / committee etc.
• For overcoming technical difficulties.
To further maintain the AGP’s independence in resource management, the AGP is
provided a charged up budget, as stated in the Constitution26. Article 81 of the
Constitution26 states, “The following expenditure shall be expenditure charged upon the
Federal Consolidated Fund:
a) The remuneration payable to the President and other expenditure relating to his
office, and the remuneration payable to-
v. The Auditor-General; ”

21. The audit team should have the benefit of drawing services of subject matter experts
and other knowledgeable groups or individuals available within the organisation, where
it may be necessary to obtain expert advice, particularly when the audit team lacks the
necessary specialized knowledge. If skills are not available internally, AGP may take a
decision to hire the services of an outside expert. Refer to Sections 24 - 27, Element 4
“Human Resource” and Sections 17 - 20, Element 5 “Performance of Audit and Other
Work” for further details on the hiring of outside experts.
22. The need for specialized expertise should be identified at an early stage in the planning
process. The early identification will allow the necessary lead time to acquire suitable
staff from within the office or seek experts outside.
23. For each audit engagement, the staff should be identified based on the required
competence, knowledge and skills in the audit work to be engaged in and the audit work
assigned. The role of each member of the audit should be clearly defined. The following
factors should be taken into consideration in making assignments of individuals:

26
www.na.gov.pk/uploads/documents/1333523681_951.pdf

47 |
 • Staffing and timing requirements of the specific audit;
• Evaluation of the qualifications of personnel as to experience, position,
background, and special expertise;
• The planned supervision and involvement by supervisory personnel; and
• Appropriate consideration to be given, in assigning personnel, to both continuity
and rotation to provide for efficient conduct of the audit and the perspective of
other personnel with different experience and backgrounds.

48 |
 Element 4:
5
Human Resource
The DAGP should establish policies and procedures designed to provide it with
reasonable assurance that it has sufficient personnel with the competence,
capabilities and commitment to ethical principles necessary to:
• perform engagements in accordance with professional standards and
applicable legal and regulatory requirements; and
• enable the DAGP to issue reports that are free from error as best as
circumstances allow.

5.1. Index for Implications

As discussed in Section 1.6.3, quality control or quality assurance implications may arise to
impact the quality control or quality assurance systems of the DAGP (a summary of which is
available in Annexure E “Summary of Quality Control / Assurance Implications”); hence, the
index below has been developed to provide guidance regarding where details of the major
implications, relevant to this chapter, may be found. However, to truly understand and apply
ISSAI 140 in the work of the DAGP, it is strongly recommended to read the chapter in order.

ISSAI 140 Implication on DAGP Mechanism Aligning DAGP with Section

ISSAI 140 No.
The DAGP should ensure that the audit Identifying the level of expertise and 2
teams have the collective knowledge of qualifications in an FAO and undertaking
their subject matter and auditing periodic skills assessments to evaluate
proficiency necessary to fulfil the human resource needs in order to
requirements of the audit. effectively perform the FAO’s duties.
The delegated responsibilities within the Awareness of DAGP staff regarding their 8
DAGP for the audit quality management job description.
should be clearly defined for each staff
involved in the audit process.
The DAGP should assess the personnel Providing staff an opportunity to express 11
needs of its staff by developing staff their views on the work environment to
welfare practises. management.
Capacity building of staff should be a Providing staff an opportunity for personal 13 & 23
continuing process and should be and career development through training
adapted to the needs of the DAGP so that requirements.
staff could equip themselves relevant

49 |
 ISSAI 140 Implication on DAGP Mechanism Aligning DAGP with Section
ISSAI 140 No.
knowledge, techniques and adapt to
changes in audit methodologies and tools.
DAGP staff should be aware of their Conducting performance assessments of 18
professional career development path and staff annually as well as after each audit,
the minimum targets that needs to be providing staff feedback regarding their
achieved for progression, which should be performance on a regular basis.
based on the principles of equality and
merit, with consideration to demonstrated
ethical behaviour.
To create an environment that is A flexible reward management system to 19 & 20
dedicated to quality and ethical principles, include periodic rewards against
behaviour and performance of staff that performance and ethical behaviour.
encourage such an environment should
be emphasized and rewarded.

50 |
 5.2. Recruitment, Staff Development and
Performance Management
SAls may draw on a number of different sources to ensure they have the necessary
skills and expertise to carry out the range of their work, whether carried out by SAI
personnel or contracted out. (ISSAI 140 element 4 section 1, page 17)
SAls should ensure that responsibility is clearly assigned for all work carried out by
the SAI. (ISSAI 140 element 4 section 2, page 17)
SAls should ensure that as policies and procedures give appropriate emphasis to
quality and commitment to the SAI’s ethical principles. Such policies and procedures
related to human resources include:
• recruitment (and the qualifications of recruited staff);
• performance evaluation;
• professional development;
• capabilities (including sufficient time to perform assignments to the required
quality standard);
• competence (including both ethical and technical competence);
• career development;
• promotion;
• compensation; and
• the estimation of personnel needs. (ISSAI 140 element 4 section 5, page 18)

1. The policies and procedures should be designed to provide the AGP with reasonable
assurance that the DAGP has sufficient personnel with the capabilities, competence,
and commitment to ethical principles necessary to perform its engagements in
accordance with professional standards and regulatory and legal requirements to enable
the AGP to issue quality reports free from error and bias.
The key aspects of the DAGP’s management of human resources include:
• Adopting policy and procedures regarding recruitment, capacity building, and
professional development;
• Periodically reviewing the training and professional development programmes to
evaluate their effectiveness; and
• Establishing a transparent and performance-based promotion system including
development of KPIs.
5.2.1. Recruitment
2. One of the elements of human resource management is to recruit personnel with suitable
qualifications to be able to perform their assigned tasks effectively. The DAGP should
maintain written procedures in place for recruitment and establish minimum qualification
requirements. The DAGP should regularly review, minimum educational requirements

51 |
 for the appointment of their staff in addition to an analysis of organizational needs,
considering matters such as vacancies, existing competencies and skills levels, and staff
turnover rates.

Quality Control Implications (FAO-Level)

A periodic skills assessment should be carried out to evaluate the necessary skills and
qualifications required to cover all sectors in the audit without comprising the quality of
work performed. A mechanism should also be in place to pool in the resources of FAOs
as and when required. A list of staff containing qualification, experience and skillset
should be maintained at each FAO to facilitate in audit planning, capacity building and
performance assessment. This list should be easily obtainable if a Human Resource
Management Information System (HRMIS) is developed at the HO-Level. For further
details on what an HRMIS should be, refer to Section 18 & 23 of this Element.
3. Recruitment for the DAGP should be based on the principles of openness, publicity,
equality and merit. Ethical behaviour should be considered when recruiting auditors and
staff. By establishing a robust competency framework, the DAGP should be able to
identify the skills, attitude, knowledge and experience they require more easily. Good
practice examples to apply in the recruitment process include:
• Assessing candidates’ reactions to ethical dilemmas during examinations and
interviews.
• Conducting psychological tests and examinations.
• Undertaking background checks following security clearance include procedures.
4. The principle of openness and transparency is vital for a merit-based recruitment system.
INTOSAI’s Capacity Building Committee (CBC) Human Resource Management (HRM)27
describes good practices with regard to transparent procedures for recruitment and
selection in Chapter 5 page 19, stating the following: “It will describe where to advertise
in order to reach the required types of staff, when the adverts will be issued, what
documentation and forms will be available for applicants, how queries will be managed,
when the applications need to be lodged, when people would expect to be called for
assessment and/or interview, and when the results should be known.” Advertisements
of positions should include a description of the skills and experiences needed. So as to
counter the threat of nepotism, it is a better practice to allow the procedures of
recruitment and selection to be known publicly.
5. It is good practice to recruit on the basis of equal opportunity, including considerations
with regard to gender and disabilities. INTOSAI’s CBC HRM27 guide states that
procedures should be made public and should promote diversity and that procedures for
recruitment (as stated in Section 4 of this Element) should be designed to ensure entry
to the DAGP is fair and transparent, and that selection is based on objective, merit-based
criteria. INTOSAI’s CBC HRM states in Chapter 5 page 2027, “It is vital in this process
that equal opportunity issues are considered to help ensure that the SAI is recruiting
from as wide a pool of talent as possible. In some cases, an SAI may specifically refer
in its job advertisements to particular groups who may be under-represented in the SAI.
For example, women and members of ethnic minorities are often encouraged to apply.

27
www.intosaicbc.org/download/hr-management-guide-eng/

52 |
 These considerations need to be reflected throughout the recruitment and selection
process, for example, by featuring ethnic minority staff in promotional material on the
SAI or ensuring that women are represented on the staff selection panel.”
6. It is good practice for a probation period of six to twelve months be established for the
induction of new DAGP staff in order to help the DAGP to satisfy itself as to the suitability
of the new recruits by checking that requirements of the post are met.
7. Although it is ordinary for SAIs to depend on Public Service Commissions for recruitment,
SAIs can still have their own policy within the purview of the Public Services by deciding,
for example, a percentage of people who would be recruited directly from the Public
Service, and those who would be promoted through the ranks. Hence, the DAGP should
establish their own policy, while keeping in consideration the aforementioned elements
of a high quality recruitment system, for the recruitment of certain DAGP staff through,
for example, open interviews or tests. The DAGP should evaluate whether their human
resource meet their needs and should consider making adjustments in their recruitment
policy if any shortcoming is identified.
5.2.2. Roles and Responsibilities
8. The delegated responsibilities within the DAGP for the audit quality management should
be clearly defined for each staff involved in the audit process. These responsibilities
should be included in the job description of the respective staff.

Quality Control Implications (HO-Level)

Each staff should be required to sign the job description acknowledging that the staff
understands his role and responsibilities. A copy of the signed job description should be
maintained in the personal file of the staff. The work allocation and subsequent
performance assessment should take into account the set job descriptions.
For the specific roles and responsibilities of DAGP staff at QAI&M Wing and at the FAO-
Level for quality assurance and quality control respectively, refer to Annexure C “Quality
Control & Assurance Key Tasks and Responsibilities for DAGP staff”.
5.2.3. Performance Evaluation
9. INTOSAI’s CBC HRM Guide Chapter 5 Page 2228 states the following: “The promotion
and advancement of audit staff need to be based on finding the best person to fill any
position. While at times the staff who have served longest in an organisation may be the
most skilled and experienced, this is not always the case. Instead, suitability for
promotion should be based on performance appraisals linked to the assessed potential
to perform at the higher level. An SAI should develop a system which gives weight to
high performance, meritorious work and assessed potential, especially for promotions to
the middle and senior management levels. These should be based on merit and
potential, and not on time served.”
10. The DAGP’s performance evaluation, compensation and promotion procedures give due
recognition and reward to the development and maintenance of competence and
commitment to ethical principles. In particular, it should:

28
www.intosaicbc.org/download/hr-management-guide-eng/

53 |
 • Make personnel aware of the DAGP’s expectations regarding performance and
ethical principles;
• Provide personnel with evaluation of, and counselling on, performance, progress
and career development; and
• Help personnel understand that advancement to higher position depends, among
other things, upon performance quality and adherence to ethical principles, and
that failure to comply with the relevant policies and procedures may result in
disciplinary action.
5.2.4. Staff Welfare
11. The DAGP should assess the personnel needs of its staff by developing staff welfare
practises. INTOSAI’s CBC HRM Guide Chapter 6 Page 3623 states that, “Employers
want employees who will do their best work or ‘go the extra mile’. Employees want jobs
that are worthwhile and that inspire them. More and more organisations are looking for
a win-win solution that meets their needs and those of their employees. What they
increasingly say they are looking for is an engaged workforce. A lack of, or low, wellbeing
at work can cost SAIs a considerable amount of money through lost working days and
low productivity. Employee engagement contributes to more productivity, better work,
less sickness leave and less turnover. As the success and quality of an SAI depend on
its human resources, well-being is an essential element in the HR-strategy.”

Quality Control Implications (HO-Level)

DAGP staff should have the opportunity to express their views on the work environment
to management, and management should act upon the issues arising from the views
expressed on the work environment. Taking into consideration DAGP staff’s needs by
assessing their viewpoints, the DAGP should establish a functional staff welfare policy,
which should be part of their HR strategy document.
5.2.5. Professional and Career Development
12. The DAGP needs not only to attract staff that enables the constant addition of external
inputs, new ideas, experiences and skills, but also to retain a strong professional
workforce to ensure the efficient pursuit of its goals and objectives. A fair system of
internal promotion also recognizes and rewards the commitments and talents of the staff.
Many SAIs work to ensure a healthy mix of internally promoted and externally recruited
staff.
13. Professional development and career progression should also be based on the
principles of equality and merit, with consideration to demonstrated ethical behaviour.
There should also be evaluation of, and counselling on, performance, progress and
career development for members of the staff. Each staff should be aware of their
professional career development path and the minimum targets that needs to be
achieved for progression.

Quality Control Implications (HO-Level)

Minimum training / Continuing Professional Development (CPD) hours should be

established for each DAGP staff and trainings should be allocated to complete these
hours. This ensures that each staff has an opportunity for development, which is

54 |
 necessary for effective career development. Refer to Sections 21 - 23 of this Element
for further details regarding training and capacity building.

14. There should be established routines to ensure individual performance appraisals to take
place at least once a year in the DAGP. For further details in this regard, refer to Section
15 below.

SAls should ensure that quality and the SAI’s ethical principles are key drivers of
performance assessment of personnel and any parties contracted to carry out work for
the SAI. (ISSAI 140 element 4 section 8, page 18)

15. The performance appraisal system in the DAGP includes the preparation of a PER for
each staff. The performance evaluation is carried out by the reporting officer and up to
two countersigning officers that review and provide their remarks.
16. To create an environment that is dedicated to quality and ethical principles, behaviour
and performance of staff that encourage such an environment should be emphasized
and rewarded. Performance evaluation plays a key role in this regard by incorporating
such elements as KPIs.
17. As stated in Section 8 of this Element, the appraisal system should assess the staff’s
performance against their job description.
18. An annual performance appraisal provides into the general behaviour of a staff member
over a year of performance. To obtain more qualitative details of the work performed by
staff, the DAGP should establish a monitoring system that evaluates performance of staff
throughout the year. Results of this system would also assist in the preparation of the
PER.

Quality Control Implications (FAO-Level)

Performance assessment of staff should be performed after each audit, the assessment
should be maintained in the personal file of each staff, including training and CPD
achieved during the year, and should form a part of the basis of the annual performance
assessment. This activity may be linked with the audit team self-assessment described
in Section 16 Element 5 “Performance of Audit and Other Work”.

Quality Control Implications (HO-Level)

It is good practice to establish an HRMIS that can act as a hub for performance
assessment, training development and resource allocation. The aforementioned
assessment conducted at the FAO level may be uploaded to the HRMIS against the
relevant staff member to allow for ease of access when conducting performance
evaluation or any other human resource related activity involving the staff.

19. To incentivize hard work and excellence, DAGP should have in place a rewarding
mechanism to reward high quality of work performed by its staff.

Quality Assurance Implications (QAI&M)

On the basis of quality assurance reviews from QAI&M Wing through QAC meetings
(Refer to Section 9, Element 6 “Monitoring” for further details), a grade is issued to audit

55 |
 reports. This grade is indicative of the quality of the audit report. A high grade should be
issued to reports that are most free from error and conducted by staff that comply with
all professional standards. A flexible reward management system should be in place to
reward and incentivize high scoring audit reports.

Quality Control Implications (HO-Level)

This reward management system would include periodic rewards at the end of an audit
activity strictly based on performance evaluation gauged against carefully devised KPIs
in the PER.

20. To incentivize ethical behaviour, reward and recognition policies should be applied
through ethics related awards and prizes. Good practice incorporates ethical criteria into
the PER and into promotion choices. Example of ethical criteria include the following:
• Sense of responsibility;
• Integrity and professional conduct;
• Personal qualities;
• Conduct on and off duty, including professional ethics;
• Commitment to the institution and integrity;
• Active support for government policies; and
• Demonstration of positive professional behaviour.

SAls should promote learning and training for all staff to encourage their
professional development and to help ensure that personnel are trained in current
developments in the profession. (ISSAI 140 element 4 section 6, page 18)

5.2.6. Training and Capacity Building

21. Training is the key process of HRM by which staff acquire the skills needed to accomplish
their assigned tasks. The purpose of training is to build the capacity of staff to ensure
quality in all work performed and assist the DAGP in achieving its objectives.
22. It is vital for the audit staff to be equipped with knowledge and sound understanding of
the public sector environment — role of legislature, legal and institutional arrangements
governing the operations of the government departments and public entities, auditing
standards, audit methodologies, policies, procedures and practices. The audit
methodologies are evolving at a fast pace and newer techniques are available like risk-
based auditing, application of quantitative techniques and increasing use of IT as an
audit tool to improve audit quality. As a result, training has assumed critical importance
in the professional development of staff.
23. Capacity building of staff should be a continuing process and should be adapted to the
needs of the DAGP so that staff could equip themselves relevant knowledge, techniques
and adapt to changes in audit methodologies and tools. Training needs assessments
should be carried out by the DAGP on a periodical basis to evaluate the required skill
set for its staff.
The capabilities and competence should be developed and maintained by:

56 |
 • In-house training courses, seminars and workshops covering a wide variety of
topics focusing on developing a well-rounded workforce.
• On-the-job training by attaching new staff to work under the guidance of
experienced staff.
• CPD, including training
• Formal training courses designed on the basis of training needs assessment
• Improving and standardizing training material to maintain training quality;

Quality Control Implications (HO-Level)

As mentioned in Section 18 of this Element, it is good practice to establish an HRMIS that

can act as a hub for performance assessment, training development and resource
allocation. The HRMIS should be able to portray each staff member’s expertise in a
particular area, which will be helpful in assigning relevant training courses. It is good
practice for required competencies to be assigned for all levels of staff, on the basis of
which the DAGP may identify / design training courses that address those competencies.
In the HRMIS, trainings attended can be allocated to the attendees of the training on an
individual basis, assisting in enhancing the effectiveness of the training plan by ensuring
that staff are allocated trainings most relevant and beneficial. It will also prevent staff being
allocated the same training courses that they have already completed. Staff selection for
trainings should entail developing a pool of potential nominees based on availability
ascertained by an HRMIS. The concerned FAO should select nominations on the basis of
the pool. As a result, the training system in the DAGP would keep into consideration the
needs of individual staff members.
Without an HRMIS, training procedures likely end up as simple staff nominations by the
FAO without due consideration of staff development. The activity of nominating staff
should have some level of central involvement, which can only be effectively performed
through the assistance of an HRMIS.

57 |
5.3. Third Party Resourcing
SAls should ensure that personnel, and parties contracted to carry out work for the
SAI (e.g. from chartered accountancy or consulting firms), have the collective
competencies required to carry out the work. (ISSAI 140 element 4 section 3, page
17)
SAls should recognise that in certain circumstances personnel and, where relevant,
any parties contracted to carry out work for the SAI, may have personal obligations
to comply with the requirements of professional bodies in addition to the SAI’s
requirements. (ISSAI 140 element 4 section 4, page 17)
SAIs should ensure that personnel and any parties contracted to carry out work for
the SAI have an appropriate understanding of the public sector environment in which
the SAI operates, and a good understanding of the work they are required to carry
out. (ISSAI 140 element 4 section 7, page 18)

24. The DAGP may draw on a number of different sources to ensure they have the
necessary skills and expertise to carry out the range of their work, whether it is conducted
in-house or contracted out. However, it should ensure that personnel and, where
relevant, parties contracted to conduct work for the DAGP have the collective
competencies required to undertake the range of work of the DAGP.
25. If work is contracted out to external parties, due care should be exercised to ensure that
the consultants' competence and aptitude for the particular tasks involved is adequate.
The technical and professional competence while hiring external parties should be
evaluated as per the relevant rules of the Public Procurement Regulatory Authority29.
The key areas to evaluate include:
• Technical competence of the external party;
• Public sector experience;
• Technical competence, qualification and experience of staff offered;
• Feedback letters from previous work performed in public sector;
• Audit methodology to be used.
26. The DAGP should ensure that external consultants should follow international standards
of auditing, so that they are able to get reasonable assurance that the work performed
by the contracted third party is reliable, and decisions may be taken on the basis of work
performed; as a result, whenever contracting third party firms, the contract made with
the external consultants shall clearly state the standard to be followed in carrying out
work assigned.
27. For further guidance regarding involving outside experts in the work of the DAGP, refer
to Sections 17 – 20, Element 5 “Performance of Audit and Other Work”.

29
www.ppra.org.pk/Rules.asp

58 |
 Element 5:
6
Performance of Audit
and Other Work
The DAGP should establish policies and procedures designed to provide it with
reasonable assurance that engagements are performed in accordance with
professional standards and applicable legal and regulatory requirements, and that
the DAGP issues reports that are appropriate in the circumstances. Such policies
and procedures shall include:
• matters relevant to promoting consistency in the quality of engagement
performance;
• supervision responsibilities; and
• review responsibilities.

6.1. Index for Implications

As discussed in Section 1.6.3, quality control or quality assurance implications may arise to
impact the quality control or quality assurance systems of the DAGP (a summary of which is
available in Annexure E “Summary of Quality Control / Assurance Implications”); hence, the
index below has been developed to provide guidance regarding where details of the major
implications, relevant to this chapter, may be found. However, to truly understand and apply
ISSAI 140 in the work of the DAGP, it is strongly recommended to read the chapter in order.

ISSAI 140 Implication on DAGP Mechanism Aligning DAGP with Section

ISSAI 140 No.
The DAGP should ensure appropriate Availability of appropriate audit manuals 1-3
policies, procedures and tools are in place and working paper kits (for all stages of the
for carrying out the range of work that is audit) that are developed on the basis of
the responsibility of the DAGP. INTOSAI standards and better practices.
The DAGP should ensure quality at the Quality control templates designed for 11
audit planning stage. audit planning.
The DAGP should ensure adherence to Supervisory plan, supervisory visits and 15, 21 &
the principles of DAGP auditing the use of a supervision checklist. 27
standards.
The DAGP should enlist resources (such Engagement of consultants and 18
as technical experts) to deal with documentation of consultations.
particularly difficult or contentious matters.

59 |
 ISSAI 140 Implication on DAGP Mechanism Aligning DAGP with Section
ISSAI 140 No.
The DAGP should ensure that all audit Reviewing all work, documenting reviews 31 - 33
work be reviewed by a senior member of and utilizing an independent quality control
the audit staff before audit opinions or reviewer and / or additional layers of
reports are finalized. review for higher-risk / more complex
audits.
The DAGP should ensure quality at the Quality control templates designed for 41
audit execution stage. audit execution.
The DAGP should facilitate the effective Usefulness of good documentation and 42
storage of all documentation maintained utilizing information technology for digital
by FAOs. storage.
The DAGP should retain ownership of all Ensuring custody of documentation and 47
documents produced by it. working papers.
The DAGP should ensure quality during Standards of a quality audit report and the 51
the audit reporting stage. audit completion checklist.
A monitoring system should be in place to Obtaining management comments and 55 & 57
identify management action plans against performing follow-ups.
audit matters raised and their progress.
The DAGP should balance the Recordkeeping regulations. 65
confidentiality of documentation with the
need for transparency and accountability.

60 |
 6.2. Audit Planning
SAIs should ensure appropriate policies, procedures and tools, such as audit
methodologies are in place for carrying out the range of work that is the responsibility
of the SAI, including work that is contracted out. (ISSAI 140 element 5 section 1, page
19)
Note: This requirement generally applies to all phases of the audit cycle.

1. The auditors should be equipped and facilitated with predefined policies, procedures and
tools, where able, in order to streamline and produce work of consistently high quality.
Throughout this document, certain manuals of the DAGP are referred to, which serve as
the hub of the aforementioned policies, procedures and tools for auditors to utilize. The
audit related manuals currently in use by the DAGP are as follows:
• Financial Audit Manual (FAM): Primarily used for guiding auditors in conducting
financial attestation / certification audits as well as compliance audits. This
manual was issued in 2005 and revised in 2012. The purpose of this Audit
Manual is to provide DAGP auditors with a set of modern auditing standards,
concepts, techniques, and quality management arrangements that are
consistent with international standards for auditing entities in the Government of
Pakistan.
• Performance Audit Manual (PAM): Primarily used for guiding auditors in
conducting performance audits. This manual was developed in 2012 and
includes information related to the auditing of an entity’s value for money, i.e.
the economy, efficiency and effectiveness of a given programme, project or
entity. Performance audits are a means to improve management practices in the
public sector and sharpen the accountability process of public managers.
• Audit Manual for Foreign-Aided Projects (FAP): Primarily used for guiding
auditors in conducting financial attestation and compliance audits of FAPs. The
manual is intended to assist in meeting development partner expectations
regarding audit of FAPs. These audit requirements are laid out in the relevant
legal agreements underlying the FAP.
In addition to the audit manuals, Sectoral Guidelines are also available to provide
assistance in conducting sector-specific audits. These guidelines are designed primarily
with financial and compliance audits in mind, elaborating on elements of FAM specific to
the relevant sector in this regard. These guidelines should be developed and maintained
for any audit that requires additional technical procedures and / or considerations that
the auditor should be aware of.

Quality Control Implications (FAO-Level)

At the start of the planning phase, DG of the respective FAO should ensure that
instructions be issued to audit teams prior to the commencement of audits. Among other
things, these instructions should include information regarding the tools, policies and
methodologies made available to the field audit teams to assist and standardize the
quality of their work. Relevant performas contained within the aforementioned manuals

61 |
 should be mentioned in these instructions. Refer to Annexure F.2.2 “Template for Field
Audit Instructions” for a template stipulating a basic structure of the instructions to be
provided to the audit teams prior to the commencement of their audits.

2. Each audit team (typically led by an AO) should maintain a permanent file, a planning
file, execution working papers and a reporting & evaluation file. The aforementioned
documents consist of the required tools and templates the auditor should employ
consistently in an audit in this regard.

Quality Control Implications (FAO-Level)

A checklist should be maintained for each of the files in order to ascertain completeness
of each file.
The permanent file should, at the minimum, include the following templates found in the
Working Paper Kit of FAM:
• Update Control Sheet
• Status of the Entity
• Background Information
• List of Auditable Locations
• List of Bank Accounts
• List of Authorised Signatories
• External Factors
• Accounting Records and Accounting System
• Key Contacts
• Significant Audit Areas
• Significant Accounting Policies
• Supporting Document: Corporate Plan
• Supporting Document: Financial Rules / Laws & Regulations / Service Rules
• Supporting Document: Organization Chart
• Supporting Document: Accounting Policies
• Supporting Document: Chart of Accounts
• Supporting Document: Environmental laws and regulations
• Supporting Document: Long-term Contracts and Leases
• Supporting Document: Loan agreements, Mortgages, Debt Instruments
• Supporting Document: Amortization Schedules of Major Assets
• Supporting Document: Extracts of Minutes
• Supporting Document: Previous Year’s Audited Financial Statements
• Supporting Document: Auditor’s Reports to Management
• Supporting Document: Management Responses
• Supporting Document: Other
The planning file should, at the minimum, include the following templates found in
Working Paper Kit of FAM:
• Audit Objectives and Scope
• Points Brought Forward from Previous Audits
• Entity Communication Letter, Audit Planning Memorandum
• Memorandum on Post-Planning Changes

62 |
 • Important Dates Form, Time and Fee Budgets and Daily Timesheets
• Information Requested from Entity Officials Form
• Materiality Assessment Form
• Expected Aggregate Error and Planned Precision Form
• Audit Risk Assessment Form
• Inherent Risk Assessment Form
• Environmental Internal Control Questionnaire
• Internal Control Questionnaire – General Computer Controls
• Internal Control Questionnaire – Application Controls
• Control Risk Assessment Form
• Analytical Procedures Assurance
• Source of Audit Assurance Form
• List of Applicable Laws and Regulations
• High Value Item Selection Form
• Key Item Selection Form
• Sample Sizing for Tests of Internal Control
• Sample Sizing for Substantive Tests of Details
• Checklist of Accounting Estimates to be Reviewed
• Points for Attention of Next Audit
• Audit Planning Checklist
The audit execution working papers should differentiate according to the objective and
nature of the audit. In general, they should include, but not be limited to, the:
• Appropriation Accounts Cross Referenced to Underlying Summaries
• Grant-wise Summaries, Inter-Government Accounts to be eliminated
• Summary of Analytical Procedures Performed
• Detail of Analytical Review Procedures Performed
• Internal Control Questionnaires checklist
• Internal Control Deviations Form
• Internal Control Deviations Summary
• Compliance Summary
• Errors in Accounting Estimates
• Substantive Test Sample Summary
The evaluation & reporting file should, at the minimum, include the following templates
found in Working Paper Kit of FAM:
• Internal Control Analysis - Impact Analysis
• Analytical Procedure Thresholds
• Evaluation of Analytical Procedures
• Evaluation of Internal Control Deviations
• Substantive Tests Evaluation-Projectable Errors from Sample
• Substantive Tests Evaluation-Non-Projectable Errors
• Substantive Tests Evaluation-Summary
• Achieved Level of Assurance Form
• Error In each Component
• Overall Error in Financial Statements

63 |
 • Compliance with Authority Violations
• Checklist of Management Representation Letter
• Sample Management Representation Letter
• Audit Completion Checklist
• Memorandum Supporting Signature
• Auditor’s Opinion
• Follow Up Continuity Schedule
• Quality Assurance Checklist

Quality Assurance Implications (QAI&M)

A post-audit quality assurance checklist should be conducted for an FAO’s audits on the
basis of a sample selection, determined by DG QAI&M. The checklist shall be used to
check for the completeness of each file (permanent, planning and execution) and related
quality control forms. These checklists should be the responsibility of the head field
inspection teams from QAI&M Wing. Refer to Annexure G.1.1 “Post-audit Quality
Assurance Checklist” for the template of this checklist.

3. The DAGP should ensure that the auditing standards and core methodologies used are
available to be scrutinized by the public eye. As per INTOSAI P-12 Principle 830, “SAIs
should use, as appropriate for their circumstances, auditing standards, processes and
methods that are objective and transparent, and make known to stakeholders what
standards and methods are used.”

Quality Control Implications (HO-Level)

Audit Policy Wing, or any other Wing designated by the AGP, should ensure that any
policy document pertaining to auditing standards and / or core methodologies to be used
by DAGP auditors is made available to the public for their scrutiny. Such documents
include both the Audit Manuals and Sectoral Guidelines of the DAGP.

SAls should aim for timely completion of audits and all other work, recognising that the
value from the work of SAIs diminishes if the work is not timely. (ISSAI 140 element 5
section 9, page 20)

6.2.1. Audit Objectives, Scope and Methodology

4. In planning the audit, the most important process is defining the audit objectives. The
objectives are what the audit is intended to accomplish. The scope of the audit shall be
linked to the audit objectives and the DG of respective FAO should design the
methodology in such a fashion as to provide sufficient, competent and relevant evidence
to achieve the objectives of the audit.
6.2.2. Audit Plans
5. Adequate planning of the audit helps in ensuring that all significant entities and
programmes, which are vulnerable to risks, are covered, available resources are
optimally utilized for conducting the audits and the work is completed expeditiously.
Operational planning of the individual audits is the most critical process for securing a

30
www.intosai.org/fileadmin/downloads/documents/open_access/INT_P_11_to_P_99/INTOSAI_P_12/INTOSAI_P_12_en.pdf

64 |
 high standard of audit. A good audit plan will ensure a focused field work by the audit
team and also facilitate monitoring and review of the progress of audit by senior audit
functionaries.
6. An effective annual audit plan should incorporate the following features:
• Clearly defined activities, timetables and responsibilities;
• Coverage of all the DAGP’s main support services, like financial management, HR
and training, IT and infrastructure, etc.
• Clear links to the DAGP’s strategic plan.
• The annual plan contains or is linked to a budget, and there is evidence that
considerations have been made about the resources needed to complete the
activities in the plan.
• An assessment of risks connected to achieving the objectives of the plan.
• Measurable indicators at the outcome and output level.
• Baselines of current performance and milestones for major indicators.
7. It is important that the audit plans take into consideration that, in order to achieve high
quality audit reports, auditors require sufficient time to perform their duties in an effective
manner. When preparing timelines, the audit plans should provide enough time for all
planned audit procedures to be performed.
8. INTOSAI auditing standards state that the auditor should plan the audit in a manner
which ensures that an audit of high quality is carried out in an economic, efficient and
effective way and in a timely manner. In planning an audit, the auditor should:
• Identify important aspects of the environment in which the audited entity operates;
• Develop an understanding of the accountability relationships;
• Consider the form, content and users of audit opinions, conclusions or reports;
• Specify the audit objectives and the tests necessary to meet them;
• Identify key management systems and controls and carry out a preliminary
assessment to identify both their strengths and weaknesses;
• Determine the materiality of matters;
• Review the internal audit of the audited entity and its work programme;
• Determine the most efficient and effective audit approach; and
• Provide for appropriate documentation of the audit plan and for the proposed
fieldwork.
9. Audit planning should incorporate a rigorous risk assessment in its processes to identify
risk areas appropriately prior to the commencement of field audits. Risk assessment
during the audit planning is covered in Section 2 - 4, Element 3 “Acceptance and
Continuance”.

65 |
10. While conducting audit quality control review of the planning process, it should be seen
whether the planning process was timely, comprehensive, based on sound judgments,
appropriately documented and reviewed by suitably experienced staff.
11. The quality control of the audit planning can be achieved through:
• Compliance to DAGP auditing standards, guidelines and instructions;
• Comprehensive data and information and knowledge of the subject / topic of audit,
the legal framework of audit etc.
• Guidelines, policies and procedures which focus on transparent assessment of
skill, knowledge and competence of audit staff and matching the skill and
knowledge required for audit;
• Review of the planning by senior management of the DAGP; and
• Independent review of the entire planning processes of all audits.

Quality Control Implications (FAO-Level)

Several templates are available in this document to be used as quality control checks on
the audit planning phase of an audit:
• Annexure F.2.4: Permanent File & Planning File Updation Summary - portrays
significant changes made to the permanent & planning file from previous years,
including changes in planning decisions, planned audit focuses and audit steps
from previous years.
• Annexure F.2.5: Report for Quality Control Review of Permanent & Planning
Files - prepared at the end of planning phase for the purpose to ensure that
Permanent Files and Planning Files are timely prepared / updated for planned
audit assignments. It shall detect any out non-compliance of quality controls on
Permanent Files and Planning Files. This report shall warn the top management
to take corrective actions before the commencement of the audit execution.
• Annexure F.2.6: Summary of Quality Control Review of Permanent &
Planning Files - prepared at the end of planning phase for the purpose of updating
the concerned DAG to exceptions identified during Quality Control Review of the
Planning phase. This report shall warn the top management to take corrective
actions before the commencement of the audit execution.
Quality Assurance Implications (QAI&M)

Performed at the FAO level, quality assurance should be conducted after the preparation
of the audit report by the DAGP. During the quality assurance of an individual audit, the
planning stage should be thoroughly reviewed to ensure that it was carried out
appropriately with the usage of all relevant quality control forms. Details of the quality
assurance mechanisms that should be in place are found in Sections 8 - 10, Element 6
“Monitoring”.
To independently review the audit cycle as well as the quality control work at the FAO
level, inspection teams should be sent by QAI&M Wing to review the audit planning cycle
of audits selected through sample selection at QAI&M Wing. Details of this procedure is

66 |
 stated in Section 8, Element 6 “Monitoring”. Refer to Annexure G.1.1 “Post-audit Quality
Assurance Checklist” for the template to be used by inspection teams.
After the completion of the quality assurance checklist, another quality assurance
mechanism, should be in place to review the draft audit reports, the audit planning of an
audit as well as the quality assurance activity of the inspection teams from QAI&M Wing.
This quality assurance mechanism is in the form of QAC meetings held at QAI&M Wing.
For details regarding this mechanism, refer to Section 9, Element 6 “Monitoring”. Refer
to Annexure G.2.3 “QAC Meeting on the Audit Report (Financial Audits)” and Annexure
G.2.4 “QAC meeting on the Audit Report (Other Audits)”, whichever is applicable, for the
templates to be used during these meetings to assess the audit reports.

67 |
 6.3. Audit Execution
SAIs should establish policies and procedures that encourage high quality and
discourage or prevent low quality. This includes creating an environment that is
stimulating, encourages proper use of professional judgement and promotes quality
improvements. All work carried out should be subject to review as a means of
contributing to quality and promoting learning and personnel development. (ISSAI 140
element 5 section 2, page 19)
Note: This requirement generally applies to all phases of the audit cycle.

12. Broadly, the process of executing an audit includes intimating audit formations of audits,
executing audit test programmes and finally developing audit opinions, findings and
recommendations, which are discussed in the exit meetings to obtain written
management responses. Audits have to be conducted as per the detailed guidelines for
conducting Performance, Financial and Compliance Audit (refer to Section 1 of this
Element for the currently established guidelines in this regard). Basic steps include
developing audit questions, audit programme, audit criteria, audit approaches, audit test
programmes and developing findings and recommendations.
13. Quality in implementation of the audit is assured through the following:
• Adherence to the principles of DAGP auditing standards (Sections 15 & 21 of this
Element).
• Ensuring appropriate skill and knowledge - internal (Sections 2 - 7, Element 4
“Human Resource”) or procured (Sections 17 - 20 of this Element for outside
experts).
• Supervision, monitoring and review, including workshop (Sections 25 - 33 of this
Element).
• Documentation of the audit and of its processes (Sections 40 - 42 of this Element).
• Peer review (Sections 17 - 22, Element 6 “Monitoring”); and
• Consultation and advice (Section 18 of this Element).
14. The DAGP should ensure that their environment encourages high quality by utilizing
standards aligned with internationally established principles. These standards should be
made available in the relevant manual / guideline document and kept up to date. As
stated in Section 6, Element 2 “Ethics”, a review of the standards used by the DAGP
should be conducted on a fixed basis by an experienced team, preferably on an annual
basis or as per the discretion of DAG QAI&M.
15. Adherence to the principles of the aforementioned standards should be monitored
through mechanisms in place in the DAGP at the FAO level. These mechanisms
primarily entail supervision of audits. All work undertaken should be reviewed with the
aim of promoting quality, learning and professional development.
As per FAM Section 9.11.1, "Supervision involves ensuring that:

68 |
 • The members of the audit team fully understand all of the planning decisions
before commencing the fieldwork; the audit programmes are completed as
planned, unless changes are required; if changes are required to the audit plan,
the additional areas that require examination, or the areas that require additional
examination, are properly planned and the work is properly performed; only
essential work is performed;
• Sufficient evidence will have been obtained when the work is completed;
• Audit findings and conclusions are being adequately supported by evidence in the
working papers;
• The audit is performed within the time budget and by the deadline dates set; and
• The work is being done in a strong team environment, which promotes the success
of the audit and the development of audit skills within the team.”
Quality Control Implications (FAO-Level)

DG of the respective FAO should ensure that a supervisory plan be developed prior to
the commencement of audits and incorporated in the instructions to field audit teams
(refer to Annexure F.2.2 Template for Field Audit Instructions for further details). The
plan should designate the supervisory officers for each audited entity undergoing an
audit. The supervisory officers should be sufficiently skilled and knowledgeable of the
audit that they intend to supervise.
A supervision checklist should be conducted during the supervisory visits planned as a
means to review the audit work performed. Refer to Annexure F.3.5 Supervision
Checklist for the template to be used for supervising the field audits.

16. To encourage an environment that stimulates learning and personal growth, behaviour
that helps create such an environment should be incentivized through rewarding
mechanisms. In order to achieve this objective, the DAGP should have effective
remuneration, promotion and staff welfare practices in place. For details regarding the
latter two practices, refer to Sections 11 - 14, Element 4 “Human Resource”.

Quality Assurance Implications (QAI&M)

On the basis of quality assurance reviews from QAI&M Wing through QAC meetings
(Refer to Section 9, Element 6 “Monitoring” for further details), a grade is issued to audit
reports. This grade is indicative of the quality of the audit report. A high grade should be
issued to reports most free from error and conducted by staff that comply with all
professional standards. A flexible reward management system should be in place to
reward and incentivize high scoring audit reports.

Quality Control Implications (FAO-Level)

After the completion of an audit fieldwork by a field audit team, the audit team should
perform an audit team self-assessment. Through this, the team may provide feedback
regarding what worked well and what could be improved, documenting conclusions for
consideration during future audits. This activity may be linked with the individual
performance assessment of staff as described in Section 18, Element 4 “Human
Resource”.

69 |
 In addition, for individual staff, the reward management system should asses the staff’s
performance against carefully devised KPIs (placed in the PER) and reward them
accordingly.

Where difficult or contentious matters arise, SAIs should ensure that appropriate
resources (such as technical experts) are used to deal with such matters. (ISSAI 140
element 5 section 3, page 19)

17. In the course of work for the DAGP, certain difficult or contentious matters arise requiring
resources or expertise that may not be available. The DAGP should have procedures in
place to supplement internal human resources with outside expertise as required. These
procedures should follow an assessment of risk to the quality of outsourcing audit work,
and the procedures should then address these risks.
18. When enlisting outside experts, the DAGP should ensure that applicable local rules &
regulations are followed, namely the Public Procurement Rules from the Public
Procurement Regulatory Authority31. The consultation should be appropriately
documented, and a written record of the consultation should be maintained.

Quality Control Implications (FAO-Level)

A record of consultation should be maintained at the FAO level regarding the usage of
an outside expert. Refer to Annexure F.3.6 “Record of Consultation” for the template to
be used when documenting the use of a consultant during an audit at the FAO level.

19. The outside expert should have the appropriate knowledge, seniority and experience
within and outside the DAGP on significant technical, ethical or other matters related to
the contentious matter.
20. Only an outside expert that follows an appropriate quality control system and
professional standards should be hired by the DAGP. The DAGP should maintain its
level of vigilance when it comes to reviewing work from outside experts, leaving no audit
work unreviewed. It is important to ensure that the outside expert is working in
accordance to applicable standards.

Quality Assurance Implications (QAI&M)

During QAC meetings (refer to Section 9, Element 6 “Monitoring” for further details) and
the post audit quality assurance of an individual audit, any utilization of outside experts
should be reviewed along with the work produced by them, and the procurement process
should be evaluated according to applicable procurement laws & regulations. Refer to
Annexure G.1.1 - Post-audit Quality Assurance Checklist for details regarding the
template to be used during the post audit quality assurance conducted by inspection
teams from QAI&M Wing.

SAls should ensure that applicable standards are followed in all work carried out, and
if any requirement in a standard is not followed, SAls should ensure the reasons are
appropriately documented and approved. (ISSAI 140 element 5 section 4, page 19)

31
www.ppra.org.pk/Rules.asp

70 |
21. As mentioned in Section 13 of this Element, quality of an audit is assured through
adherence to the principles of DAGP auditing standards. Section 15 of this Element
describes the supervisory mechanism designed to ensure that applicable standards are
followed in all work carried out.
Quality Control Implications (FAO-Level)

To assist in the supervisory task, the FAO should document the relevant standards that
are applicable to the field auditors for each audited formation, depending on the nature
of the audit.
Then, upon commencement of supervisory visits as per the supervision plan, the
application of these standards should be reviewed by the supervisory officer. Should any
requirement of the standard be ignored, the reasons should be appropriately
documented in the supervisory checklist. Refer to Annexure F.3.5 Supervision Checklist
for the template to be used for supervising the field audits.

SAls should ensure that any differences of opinion within the SAI are clearly
documented and resolved before a report is issued by the SAI. (ISSAI 140 element 5
section 5, page 20)

22. In situations where differences of opinion arise, the conclusions reached should be
documented and assessed prior to the submission of the relevant audit report. Until the
matter is resolved, the report should not be finalized and submitted.
23. For contentious matters, the procedures listed in Sections 17 - 20 of this Element should
be followed regarding the enlisting of an outside expert.
24. Differences in opinion may arise within the audit teams, with those consulted or with the
EQCR (details of whom is found in Section 17, Element 3 “Acceptance and
Continuance”).

SAls should ensure appropriate quality control policies and procedures are in place
(such as supervision and review responsibilities and engagement quality control
reviews) for all work carried out (including financial audits, performance audits, and
compliance audits). SAIs should recognise the importance of engagement quality
control reviews for their work and, where an engagement quality control review is
carried out, matters raised should be satisfactorily resolved before a report is issued
by the SAI. (ISSAI 140 element 5 section 6, page 20)

6.3.1. Supervision
25. A sound system of supervision and review of audits is essential for maintaining the
quality of an audit. Supervision involves directing audit staff and monitoring their work to
ensure that the audit objectives are met. Supervision involves assigning responsibilities,
providing sufficient guidance to staff members, staying informed about significant
problems encountered, reviewing the work performed with the aim of promoting quality
and learning, overseeing individual development, providing periodic feedback and
effective on-the-job training.
26. Supervision is essential to ensure the fulfilment of audit objectives and the maintenance
of the quality of the audit work. INTOSAI auditing standards state that the work of the

71 |
 audit staff at each level and audit phase should be properly supervised during the audit
and documented work should be reviewed by a senior member of the audit staff.
27. Supervision (and review) involves ensuring that:
• the members of the audit team have a clear and consistent understanding of the
audit plan;
• the audit is carried out in accordance with the auditing standards and practices of
the SAI;
• the audit plan and action steps specified in that plan are followed unless a variation
is authorised;
• working papers contain evidence adequately supporting all conclusions,
recommendations and opinions;
• the auditor achieves the stated audit objectives; and
• the audit report includes the audit conclusions, recommendations and opinions,
as appropriate.

Quality Control Implications (FAO-Level)

DG of the respective FAO should ensure that a supervisory plan be developed prior to
the commencement of audits and incorporated in the instructions to field audit teams
(refer to Annexure F.2.2 Template for Field Audit Instructions for further details). The
plan should designate the supervisory officers for each audited entity undergoing an
audit. The supervisory officers should be sufficiently skilled and knowledgeable of the
audit that they intend to supervise.
A supervision checklist should be conducted during the supervisory visits planned as a
means to review the audit work performed. Refer to Annexure F.3.5 Supervision
Checklist for the template to be used for supervising the field audits.

28. Supervisory officers should consider whether the staff members clearly understand the
work expected of them, the reasons for accomplishing the work and the timelines
established by the audit plan. With experienced staff, supervisors may decide the scope
of the audit work and leave details to the staff. Where the staff is less experienced,
supervisors may have to specify audit procedures to be performed as well as techniques
for gathering and analysing data.
29. Some of the more important responsibilities of the supervisory officers in relation to audit
are to ensure:
• that the work, including evidence collection and documentation, is executed in
accordance with the auditing standards and the audit plan more particularly, in
tune with the audit objectives;
• all significant deviations, where necessary, are made only with prior authorisation
of the top management i.e. competent authority or under intimation to them;
• adherence to the better practices contained in the audit guidelines / methodologies
/ other instructions of the DAGP;
• the audit team is provided oral and written guidance in conduct of the audit;

72 |
 • that confidentiality and integrity of information obtained from the entity, persons
and other sources are maintained; and
• that the factual basis of information, descriptions, analyses and recommendations
are accurate, and they are fair, balanced and well founded, that they are correctly
communicated to the entity.
30. The level of review and supervision should take into consideration the risk of the audit.
The DAGP should consider additional review and supervisory procedures on more high
risk audits (refer to Section 17, Element 3 “Acceptance and Continuance) for further
details for the review of higher risk audits).
6.3.2. Review
31. All audit work should be reviewed by a senior member of the audit staff before audit
opinions or reports are finalized. It should be carried out as the audit progresses. Review
brings more than one level of experience and judgment to the audit task and should
ensure that:
• All evaluations and conclusions are soundly based and are supported by
competent, relevant and reasonable audit evidence as the foundation for the final
audit opinion or report;
• All errors, deficiencies and unusual matters have been properly identified,
documented and either satisfactorily resolved or brought to the attention of a more
senior officer(s); and
• Changes and improvements necessary to the conduct of future audits are
identified, recorded and taken into account in later audit plans and in staff
development activities.
32. A review ensures the involvement of higher levels of management with the audit process
and provides an assurance that the work has been carried out as per the standards and
guidelines.

Quality Control Implications (FAO-Level)

Before an audit report is finalized, it should undergo an independent audit review. An

EQCR enables the performance of a secondary review, separate to the primary review
conducted by senior members of the audit team, to provide an out-of-the-box perspective
of the audit, which can only be effectively performed by an individual separate from the
audit team. An EQCR should be an AO (or this role assigned to any other staff as per
discretion of the DG of respective FAO), independent from the audit team, who conducts
an objective evaluation of significant matters, including risks identified and significant
judgments made by the audit team, and the team’s conclusions reached in formulating
the audit report. For high risk audits, the audit work performed should be reviewed in
detail. The EQCR should be any independent AO within the FAO with no involvement in
the work of the audit team. For audits of a specialized nature, the EQCR should have
the necessary knowledge and expertise in order to assess the quality of the work
performed appropriately.

73 |
 Quality Assurance Implications (QAI&M)

It is good practice for QAI&M Wing to conduct reviews of an entire audit file, after its
finalization, for at least one audit of every FAO for an interval of at least three years.
These reviews are known as cold file reviews and are meant to ensure that the audits
have been completed in accordance with the DAGP’s procedures and with applicable
INTOSAI standards; in addition, the reviews should ensure that an appropriate audit
opinion was given. Refer to Annexure G.1.2 “Cold File Quality Assurance Review of
Audit” for the template that may be used for conducting cold file reviews.

33. Reviews of audit work should be documented. The nature and extent of review of audit
work may vary depending on a number of factors, such as size of the audit organization,
significance of the work, risk level and experience of the staff. In cases, where there are
particular concerns of public interest or audit risk is high or accounts are qualified, multi-
level review procedures may be applied as appropriate. However, where performance
audit is assessed as ‘no known or minimal potential risk’, the number of layers or review
and quality checks may be reduced to have the audits completed in a shorter time frame.

Quality Control Implications (FAO-Level)

Quality control during the supervision and review activities are ensured with the help of
the following:
• Adherence to auditing standards and guidelines (Sections 15 & 21 of this
Element);
• Strict conformity to the prescribed supervision and review system (Sections 25 -
33 of this Element);
• Periodic reporting and monitoring during the audit process (Sections 12 & 13,
Element 6 “Monitoring”); and
• Peer review (Sections 17 - 22 Element 6 “Monitoring”).

If SAIs are subject to specific procedures relating to rules of evidence (such as SAIs
with a judicial role), they should ensure that those procedures are consistently
followed. (ISSAI 140 element 5 section 8, page 20)

34. Note that the DAGP is not an SAI with a judicial role, so elements of this standard
requirement do not apply.
35. The AGP may be requested to undertake any audit, but the manner through which is left
to their discretion. FAM Section 4.3.9 states, “In cases where the legislature requests
the AGP to undertake any audit, the Department of the AGP shall be free to determine
the manner in which it conducts its work, including those tasks requested by the
legislature.”
36. The DAGP should have policies and procedures in place for that instruct DAGP staff at
various levels on how to communicate with the Judiciary and / or prosecuting and
investigating agencies regarding audit findings that are relevant to those agencies.
37. The DAGP should brief the Judiciary and / or prosecuting and investigating agencies
about the role of the SAI in relation to investigations and legal proceedings that are

74 |
 initiated on the basis of the SAI’s audit findings in order to reduce the risk that the DAGP
accidentally impedes such processes through its audit work in cases where audit
findings may lead to legal proceedings.
38. The DAGP should have a system in place for follow-up on cases that have been
transferred to the Judiciary and / or prosecuting and investigating agencies.
39. Laws and regulations may be in place requiring the auditors to understand and follow
precise documentation procedures related to rules of evidence. DAGP auditors should
familiarize themselves with the policies and procedures describing additional
requirements relating to audit documentation and that are designed to ensure
compliance with applicable rules of evidence. As per ISSAI 1230 Audit Documentation
P-1532, “The following matters may affect audit documentation and are considered by
the auditor:
• Legislation imposing additional audit documentation requirements;
• The scope of such requirements (i.e. are they to be imposed on every document
from the audit assignment or on specific documents relating to certain audit
issues);
• Additional processing, formalities or requirements to which audit documents are
subject;
• The purpose of each additional requirement with respect to the due process of
law; and
• Any further impairment that may be placed upon audit documentation due to the
specific ways it has been collected and / or produced.”
To ensure any applicable rules of evidence are appropriately complied with, the DAGP
should consider incorporating any such rules of evidence in their policies and
procedures for audit documentation. Refer to Sections 58 - 65 of this Element for further
details on audit documentation and recordkeeping in the DAGP.

SAls should ensure timely documentation (such as audit work papers) of all work
performed. (ISSAI 140 element 5 section 10, page 20)
SAIs should ensure that all documentation (such as audit work papers) is the
property of the SAI, regardless of whether the work has been carried out by SAI
personnel or contracted out. (ISSAI 140 element 5 section 11, page 20)
Note: This requirement generally applies to all phases of the audit cycle.

6.3.3. Working Papers

40. The Execution File of an audit should contain all audit working papers used in the audit,
consisting of the audit evidence used to formulate audit findings. The audit working
papers should be maintained and its completeness should be ensured.
41. All relevant documents and information collected and generated during an audit
constitute the working papers. They include the documents recording the audit planning

32
www.static1.squarespace.com/static/57019a6db6aa607cbb909ab2/t/58dc0cb746c3c49f850c2d1c/1490816188021/issai-
1230-pn.pdf

75 |
 (including the audit objectives), determination of criteria, audit procedures, evidence
analysis and the audit findings & conclusions. The working papers should encompass
the entire process of auditing, from planning to execution to reporting, and should serve
as a connecting link among them. They should be sufficiently complete and detailed
enough to provide a clear trail and understanding of the audit. There is an important
necessity of maintaining confidentiality of the working papers and safe custody of the
working papers. They should be retained for a period sufficient to meet the professional,
legislative and legal requirements.
Some of the broad characteristics of working papers are:
• Completeness and accuracy: Working papers should be complete and accurate
to provide support to audit conclusions and recommendations.
• Clarity and conciseness: Working papers should be clear and concise. Anyone
using them should be able to understand the entire audit process without need for
any supplementary examination
• Facilitate preparation: Working papers should be easy to prepare. This may be
achieved by using agency-produced documents and reports.
• Legibility and neatness: Working papers should be neat and legible.
• Relevance: Working papers should be restricted to matters, which are important,
pertinent and useful for the purpose
• Facilitate review: The working papers should contain cross-references to the audit
memoranda, discussion papers, audit observation, field audit report etc. to enable
the supervisory officers and DAGP top management to link the working papers to
audit conclusions and recommendations.
• Organisation and facilitation of reference: The working papers may contain an
easy to follow index with proper narration for all volumes in an audit summary file
and an index for each of the working paper files.

Quality Control Implications (FAO-Level)

A template known as the Execution File Working Paper Checklist found in the Working
Paper Kit in FAM should be used to capture all relevant working papers for the execution
phase of the audit. Most performas for these working papers are found in the relevant
manual for the audit if not in the Working Paper Kit. The Execution File should undergo
appropriate quality control procedures. The following templates should be followed so
as to ensure acceptable quality during the audit execution phase:
• Annexure F.3.1: Quality Control Review of Execution File & Reporting File –
This report is prepared to point non-compliance of quality controls on Execution
file and Reporting File. This is to be prepared for each planned audit assignment
at the end of Execution Phase. Corrections are to be made before finalization of
report.
• Annexure F.3.2: Execution File: Significant Issues Identified during
Execution – This report is to be prepared within one week of the completion audit
execution phase for each audit entity to portray significant reportable issues
identified during the execution of audit with respect to planned audit focuses.

76 |
 • Annexure F.3.3: Monthly Status Report of Audit Plan – prepared to ensure that
the formations are being audited and the Audit Inspection Reports (AIRs) are being
issued on timely basis as projected in the audit plans. If the concerned DAG deems
it appropriate, the FAO may prepare it at a higher frequency (such as on a
fortnightly basis).
• Annexure F.3.4: Summary of Quality Control Review of Audit Execution &
Reporting – Prepared at the end of execution phase for the purpose of updating
the concerned DAG to exceptions identified during Quality Control Review of the
Execution & Reporting phase.
During supervision and review, working papers should have their correctness and
completeness checked. Refer to Sections 25 - 32 of this Element for further details
regarding these procedures.

Quality Assurance Implications (QAI&M)

The DAGP should ensure timely documentation of all work performed, which shall
include audit working papers. Adherence to timelines stipulated by the respective audit
plan of the audit shall be reviewed by inspection teams sent by QAI&M Wing to each
FAO (refer to Section 8 Element 6 “Monitoring” for further details regarding these
inspections).

6.3.4. Usefulness of good documentation

42. Good working papers can contribute to the effectiveness of various administrative tasks
required for the proper management of an audit assignment like facilitating adequate
planning, adequate control over the field work and review and reporting to superiors. The
content and arrangement of the working papers reflect the degree of proficiency,
experience and knowledge. Documentation is a vital aspect of maintaining professionally
acceptable standards of auditing for the following reason:
• It provides an adequate and defensible basis for audit opinions expressed in the
reports;
• Good working papers provide a vital link between the audit examination
procedures and the audit report;
• Audit findings can be explained better to the legislative committees;
• It provides link between successive audits;
• It provides a basis for quality assurance reviews; and
• It facilitates the process of approval of the audit report within the DAGP.

Quality Control Implications (HO-Level)

The DAGP should facilitate the effective storage of all documentation maintained by
FAOs by providing a digital platform with ownership and access controls. An Audit
Management Information System (AMIS) should be developed to assist in ensuring the
completeness of documentation for every audit and to enable DAGP staff to easily
access records from anywhere. An AMIS’s objective is to handle an organization’s
database in an effective manner while providing computing facilities, assisting users in

77 |
 decision making as a result. The AMIS may also assist in the execution of audits by
providing a platform for computer assisted audit techniques and quick access to audit
methodologies, manuals and guidelines that may be relevant to the audit work.

6.3.5. Audit Evidence

43. Audit evidence is information collected and used to support audit findings. Audit
conclusions and recommendations stand on the basis of such evidence. Consequently,
auditors should give careful thought to the nature and amount of evidence they collect.
The auditor should obtain sufficient and appropriate audit evidence to be able to draw
reasonable conclusions and audit opinion. ISSAI 400 Section 4833 states that
“Documentation should be prepared at the appropriate time and should provide a clear
understanding of the criteria used, the scope of the audit, the judgments made, the
evidence obtained and the conclusions reached.”
44. Competent, relevant and reasonable evidence should be obtained to support the
auditor's judgement and conclusions regarding the organisation, programme, activity or
function under audit.
45. The auditing standards of DAGP prescribe inter-alia that (i) data collection and sampling
techniques should be carefully chosen; (ii) the auditors should have a sound
understanding of techniques and procedures such as inspection, observation, enquiry
and confirmation, to collect audit evidence; and (iii) the evidence should be competent,
relevant and reasonable.
46. ISSAI 400 Section 4833 states that “Documentation should be sufficiently detailed to
enable an experienced auditor, with no prior knowledge of the audit, to understand the
following: the relationship between the subject matter, the criteria, the audit scope, the
risk assessment, the audit strategy and audit plan and the nature, timing, extent and
results of the procedures performed; the evidence obtained in support of the auditor’s
conclusion or opinion; the reasoning behind all significant matters that required the
exercise of professional judgement; and the related conclusions. The auditor should
prepare relevant audit documentation before the audit report is issued, and the
documentation should be retained for an appropriate period of time.”
47. The DAGP should ensure that all its documentation produced, including audit working
papers, are its own property, regardless of whether the work has been carried out by
DAGP personnel or contracted out. As per FAM Section 13.3 Custody and Maintenance
of Working Paper Files, “Working paper files are confidential and are the property of
DAGP. Material should not be removed from the files without the specific authority of the
responsible Audit Manager. The auditor is responsible for their custody and safekeeping
at all times until they are placed in official archives. Working papers are not for general
disclosure. Where they are to be shared with other auditors, or other bodies, the following
guidelines should be respected:
• No copies of working papers should be given or shown to members of the audit
entity;
• Working papers should not be made available to third parties except in special
circumstances;

33
www.issai.org/wp-content/uploads/2019/08/ISSAI-400-Compliance-Audit-Principles-1.pdf

78 |
 • Where DAGP is prepared to provide access to working papers by third parties,
normally, the consent of the audit entity should be obtained first;
• Files and papers should be reviewed before they are made available;
• DAGP should at all times retain control over the papers and documents and
inspection should take place under the supervision of a representative of DAGP;
• Where DAGP is asked to produce working papers in connection with legal
proceedings, or investigations by government bodies, for example under a court
order, legal advice should be obtained before producing them; and
• Where DAGP is required to produce original papers or documents in legal
proceedings, copies should be retained.
• Access to audit files should be controlled and the storage area should be secure."

Quality Control Implications (HO-Level)

Retaining ownership of all documentation produced by the DAGP should be achieved

by including this requirement in all of its written contracts.

Quality Control Implications (FAO-Level)

The aforementioned guidelines stated within this Section for the sharing of working
papers should be applied at the FAO level. For further details regarding the
recordkeeping and audit documentation refer to Sections 58 - 65 of this Element.

6.3.6. Evidence analysis

48. Evidence gathered in the context of audit objectives should be analysed and tested
against the audit criteria transparently to arrive at audit observations, conclusions and
recommendations. Sound evidence analysis consists, among others, of the following
important characteristics:
• it should be logical and self-sustaining;
• the conclusions and interpretations should be convincing; and
• it should support the audit observations.

Quality Assurance Implications (QAI&M)

During QAC meetings (refer to Section 9 Element 6 “Monitoring” for further details) and
the post audit quality assurance of an individual audit, evidence maintained and working
papers should be reviewed. Refer to Annexure G.1.1 - Post-audit Quality Assurance
Checklist for details regarding the template to be used during the post audit quality
assurance conducted by inspection teams from QAI&M Wing.

79 |
 6.4. Audit Reporting and Follow-ups
SAls should ensure that procedures are in place for authorising reports to be issued.
Some work of SAIs may have a high level of complexity and importance that requires
intensive quality control before a report is issued. (ISSAI 140 element 5 section 7,
page 20)

49. The audit report is the written communication of the results of audit undertaken. The
audit report is the manifestation of the quality of all audit processes from within the
DAGP; hence, the DAGP is ultimately judged by the quality of its audit report.
50. The audit report is an important link in ensuring accountability for public resources
because it enables the stakeholders including the public to determine whether:
• government resources are managed properly and used in compliance with laws
and regulations;
• government programmes are achieving their objectives and intended outcomes;
and
• government services are being provided efficiently, economically and effectively.
51. Audit reporting should comply with applicable laws, regulations and auditing standards.
The audit report should be complete, accurate, objective, convincing, clear and concise
as the subject permits. Auditors should report the audit objectives, scope and
methodology and the results of the audit which include the findings, conclusion and
recommendations. The following standards apply equally to all reports with variations in
the scope of these reports:
• The audit report should be complete.
• Accuracy requires that the evidence presented is true and the conclusions be
correctly portrayed.
• Objectivity requires that the presentation throughout the report be balanced in
content and tone.
• Being convincing requires that the audit results be presented persuasively, and
the conclusions and recommendations followed logically from the facts presented.
• Clarity requires that the report be easy to read and understand.
• Being concise requires that the report is no longer than necessary to convey the
audit opinion and conclusions.
• Being constructive requires that the reports also includes well thought out
suggestions, in broad terms, for improvements, rather than how to achieve them.
• Timeliness requires that the audit report should be made available promptly to be
of utmost use to all users, particularly to the audited entity and / or Government
who have to take requisite action.

80 |
 Quality Control Implications (FAO-Level)

An audit completion checklist, found in the Working Paper Kit in FAM under the
evaluation & reporting file templates and mentioned in Section 2 of this Element, should
be used during the reporting phase in order to ensure that the audit has been carried out
in a satisfactory manner, sufficient evidence has been obtained and that the audit opinion
is appropriate.

Quality Assurance Implications (QAI&M)

As quality assurance is the review of audit products to identify defects and ensure that
quality control procedures and processes are working effectively, QAI&M Wing should
perform quality assurance of all audit reports produced by respective FAOs. Quality
assurance reviews on the audit reports are performed through QAC meetings, which are
further detailed in Section 9, Element 6 “Monitoring”. The templates to be used at QAI&M
Wing in this regard include the templates Annexures G.2.3 - G.2.5.
Any quality assurance review should appreciate the level of risk assessed in the audited
entities and QAI&M Wing should consider applying a greater level of detail in their
reviews for audits of greater complexity and / or importance.
Quality assurance of the reporting process and the final output is assured by:
• Adherence to the auditing standards and the guidelines;
• Transparent audit and audit management process documentation of the entire
reporting process;
• Securing audited entity responses at all stages of the audit process;
• Concurrent supervision and control by FAOs;
• Quality control assessment and review by FAOs before approval of the report; and
• Technical inspections conducted by QAI&M Wing and any peer reviews of the
audit process.
The audit reports should also strive to be understandable for all stakeholders that shall
use the report for their purposes. To enhance the clarity and understandability of an audit
report, the following attributes should be present in the report:
• Use of non-technical language. All technical terms, unfamiliar abbreviations and
acronyms should be clearly defined when used;
• Logical organization of material;
• Accuracy and precision in stating facts and in drawing conclusions;
• Effective use of titles and captions and topic sentences; and
• The audit report should be no longer than necessary to convey and support the
message. Needless repetition should be avoided.
The mechanisms employed at QAI&M Wing should include reviewing the audit cycle
leading up to producing the audit reports, keeping in consideration the above quality

81 |
 initiatives. Details of these mechanisms are provided in Section 9 Element 6
“Monitoring”.

6.4.1. Reporting of Illegal or Fraudulent Acts

52. While reporting on irregularities or instances of non-compliance with laws or regulations,
the auditor should be careful to place his / her findings in the proper perspective. The
extent of non-compliance can be related to the number of cases examined or quantified
monetarily. Reports on irregularities may be prepared irrespective of a qualification of
the auditor's opinion. By their nature, they tend to contain significant criticisms, but in
order to be constructive, they should also address future remedial actions by
incorporating statements by the audited entity or by the auditor, including conclusions or
recommendations.

SAIs should ensure appropriate procedures are followed for verifying findings to
ensure those parties directly affected by the SAI’s work have an opportunity to
provide comments prior to the work being finalised, regardless of whether or not a
report is made publicly available by the SAI. (ISSAI 140 element 5 section 12, page
20)
Note: This follow-up activity is carried out during the execution of an audit.

53. INTOSAI P-20 Principle 334 states, “The SAI’s audit findings are subject to procedures
of comment and the recommendations to discussions and responses from the audited
entity”.
54. The audit reporting process begins with submission of an AIR to the Head of the Audited
Entity with a request to submit replies and clarifications / comments on the audit
observations. Depending on the veracity and relevance of replies / clarifications received
and the materiality of the observations in the AIR, these are further processed for
reporting in the Audit Report submitted by the DAGP.
55. Upon completion of fieldwork, auditors should carry out exit meetings. Exit meetings are
significant since any additional information, explanations, documentary evidence are
expected to be obtained from the management to make appropriate judgment on the
audit findings. It can further help the auditor in reconfirming or modifying the audit
conclusions and enable the auditor in making suitable modification in audit conclusions
based on the management response. Management responses should be obtained in
written form. It is good practice for the audit team leader to determine whether there are
any sensitive issues that need to be brought to the attention of the Director and DG of
the FAO prior to discussing them with the audited entity.

Quality Control Implications (FAO-Level)

During the reviews of audit reports, the audit team should consider management
responses and obtain follow-ups / updates, if applicable. Refer to Sections 31 - 33 of this
Element for details regarding review as a quality control aspect in an FAO.

56. If management responses are not received in due time, reminders should be sent to the
Head of the Audited Entity. Included in these reminders should be a statement signifying

34
www.intosai.org/fileadmin/downloads/documents/open_access/INT_P_11_to_P_99/INTOSAI_P_20/INTOSAI_P_20_en.pdf

82 |
 that timelines in the reporting and submission of audit reports would not be delayed and
shall be strictly adhered to. If management responses are not received by the time QAC
meetings and / or Accounts Committee meetings are held, the report should state why
no management responses are included. The Accounts Committee should instruct the
audited entity to provide their management responses.
57. Following the submission of an audit report and after the PAC issues its directives to the
audited entity, the DAGP should have a mechanism in place to monitor actions taken by
the audited entity in response to audit matters. As per ISSAI 100 Principle 51 Follow-
Up35, “SAIs have a role in monitoring action taken by the responsible party in response
to the matters raised in an audit report. Follow-up focuses on examining whether the
audited entity has adequately addressed the matters raised, including any wider
implications. Insufficient or unsatisfactory action by the audited entity may call for a
further report by the SAI.”

Quality Control Implications (FAO-Level)

A monitoring system should be in place at the FAO-level to identify management action

plans against audit matters raised and to determine their progress as well as
effectiveness. To achieve this, it is important to produce status reports including PAC
directives levied against the Audited Entities of the FAO. These reports should be
produced at regular intervals and shared with the PAC. If there is insufficient or
unsatisfactory action, the PAC may be able to take further actions, including instructing
for a further report by the DAGP. The findings of the monitoring system should be noted
by the teams from QAI&M Wing when they are conducting their quality assurance
activities at the FAO.

SAIs should ensure that they retain all documentation for the periods specified in
laws, regulations, professional standards and guidelines. (ISSAI 140 element 5
section 13, page 20)
Note: This requirement generally applies to all phases of the audit cycle.

58. The auditor should document matters which are important in providing evidence to
support the audit conclusions and findings and to confirm that the audit was carried out
in accordance with relevant auditing standards adopted by the DAGP. The
documentation may be in the form of data stored on paper, film, electronic and other
media and provides the link between the audit work and its resultant outputs. The
documentation should cover the basis and extent of audit planning, audit methodology,
procedures & policies, research design, the audit performance and the audit results &
findings. Proper documentation of evidence is also one of the important measures of
quality assurance and should be considered during any reviews of the audit.
59. The auditor should bear in mind that the content and arrangement of the working papers
reflect the degree of the auditor's proficiency, experience and knowledge. Working
papers should be sufficiently complete and detailed to enable an experienced auditor
having no previous connection with the audit subsequently to ascertain from them what

35
www.issai.org/wp-content/uploads/2019/08/ISSAI-100-Fundamental-Principles-of-Public-Sector-Auditing.pdf

83 |
 work was performed to support the conclusions. Refer to Section 40 - 47 of this Element
for further details on quality documentation.
60. As discussed in Section 39 of this Element, documentation should also consider any
applicable rules of evidence established by any legislature governing an audit. These
requirements should be incorporated with the general recordkeeping and documentation
requirements stipulated within the DAGP (see Section 65 of this Element).
61. General recordkeeping and documentation rules should be stipulated and strictly
adhered to by all FAOs. Current requirements in this regard are found in Annex-I of the
DAGP MSO Book 201736 and is as follows:
“a) The following should on no account be destroyed:
i) Records connected with expenditure which is within the statute of limitation.
ii) Records connected with expenditure on projects, schemes, or works not completed,
although beyond the period of limitation.
iii) Records connected with claim to service and personal matters affecting persons in
the service.
iv) Orders and sanctions of a permanent character, until revised.
b) The following should be preserved for not less than the periods specified against
them:-
i) Register of contingent expenditure - 5 years
ii) Detailed budget estimates of office - 5 years
iii) Travelling allowance bills - 3 years
iv) Service Books - 5 years (after death or retirement, whichever is earlier.)
v) Leave accounts of non-gazetted government servants - 3 years (after death or
retirement)
vi) Cases in which invalid persons have been sanctioned - 25 years
vii) Other pension cases - 5 years (after retirement)
viii) Statement of monthly progressive Expenditure and correspondence relating to
discrepancy in figure - 2 years
ix) Mortality return of pensioners - 5 years"
These rules are subject to change and the latest version of these requirements should
be consulted.

SAls should balance the confidentiality of documentation with the need for
transparency and accountability. SAls should establish transparent procedures for
dealing with information requests that are consistent with legislation in their
jurisdiction.
Note: This requirement generally applies to all phases of the audit cycle.

62. In general, the DAGP should include in the audit report whatever it deems appropriate
(see Section 35 of this Element). However, certain information may not be freely
disclosed, particularly when there is a stake in national security or interest in doing so.
In this situation, the DAGP should be able to make a separate unpublished report
including such confidential or sensitive material, but only be made available to persons

36
www.agp.gov.pk/SiteImage/Misc/files/DAGP-MSO-Book-2017(2).pdf

84 |
 authorized by law or regulations. Alternatively, the DAGP should be able to choose to
not include such information in the audit report, but the nature of the information omitted
and the requirement that makes the omission necessary should be stated in the report.
In any such scenarios, consultation with a legal counsel should be performed.
63. Staff of the DAGP should comply with confidentiality and transparency ethical
requirements as described in the Code of Ethics mentioned in Section 6, Element 2
“Ethics”.
64. Any contracting of third parties should be subject to appropriate confidentiality
agreements.

Quality Control Implications (HO-Level)

As stated in Section 18 of this Element, any procurement of such third parties should
follow the appropriate rules & regulations. The written contract with the selected third
party should contain the confidentiality agreement.

65. It is important to understand that confidentiality and transparency strike a delicate

balance. It is in the public interest to be able to request information from the government
and for them to review the procedures in place at the DAGP, which would enhance
accountability. A good practice is to issue a communication policy, and corresponding
rules, including guidance on:
• Which information needs to be considered confidential and for how long;
• Which information can be disclosed and at what stage;
• Who, in the SAI, can provide information to whom; and
• Which procedures should be followed in each situation.
Desirably, this communication policy should be made public, so that stakeholders,
citizens and audited entities know what to expect and how to proceed.

Quality Control Implications (HO-Level)

The Right of Access to Information Act 2017, Section 337 states, “(1) Subject the
provisions of this Act, no applicant shall be denied access to information record held by
a public body.”
The Right of Access to Information Act 201737 also includes information exempt from
disclosure, as stated in Section 16:
“(1) Subject the provisions of this Act,
a) A public body shall not be required to disclose exempt information,-
(i) provided that where only part of a record or the information falls within the
scope of the exceptions provided for in this Act, that part shall be severed and
the residual record or information shall be provided to the applicant;
(ii) if its disclosure is likely to cause damage to the interests of the
Islamic Republic of Pakistan in the conduct of international

37
www.na.gov.pk/uploads/documents/1506960942_594.pdf

85 |
 relations.
b) information may be exempt if its disclosure is likely to-
(i)result in the commission of an offence,
(ii) harm the detection, prevention, investigation or inquiry in a particular case,
(iii) reveal the identity of a confidential source of information;
(iv) facilitate at escape from legal custody; or
(v) harm the security of any property or system, including a building, a vehicle, a
computer system or a communication system,
c) information is exempt if its disclosure under this Act would involve invasion of privacy
of an identifiable individual, including a deceased individual, other than the applicant.
This exception shall not apply where-
(i)the third party has consented to the disclosure of the
information,
(ii) the person making the request is the guardian of the third party
or the next of kin or the executor of the will of a deceased third
party, or
(iii) the third party is or was an official of a public body and the
information relates to his functions as a public official,
d) information is exempt if and so long as its disclosure is likely to cause-
(i)damage to the economy as a result of premature disclosure of a
proposed introduction, abolition or variation of any tax, duty,
interest rate, exchange rate or any other instrument of economic
management,
(ii) damage to the financial interests of the public body by giving an
unreasonable advantage to any person in relation to a contract
which that person is seeking to enter into with the public body
for acquisition or disposal of property or supply of goods or
services, or
(iii) damage to lawful commercial activities of the public body,
e) information may be exempt if its disclosure is likely to cause serious prejudice to the-
(i)deface or security of Pakistan, or
(ii) the capability, effectiveness of armed forces of Pakistan or other
law enforcement agencies,
f) information may be exempted if its disclosure is likely to endanger life, liberty, health
or safety of any individual;
g) information may be exempted if-
(i) the information was obtained from a third party and, on its communication, it
would constitute an actionable breach of confidence, or
(ii) the information was obtained in confidence from a third party and it contains
a trade secret or -if communicated it may prejudice the commercial or financial
interests of that third party,
h) information may be exempt if it is privileged from production in legal proceedings,
unless the person entitled to the privilege has waived it,

86 |
 i) information may be exempt if its disclosure is likely to-
(i) cause prejudice to the effect we formulation or development of government
policy,
(ii) frustrate the success of a policy, by premature disclosure of that policy;
(iii) undermine the deliberative process in a public body by inhibiting the free and
frank provision of advice or exchange of views;
(iv) undermines the effectiveness of a testing or auditing procedure used by a
public body,
(v) prejudice the proceedings in a court or a tribunal; and
(vi) privileged information shared between counsel and the client,
j) reformation in respect of a crime may not be exempt, except the information relating
to-
(i) the prevention or detection of crime;
(ii) the apprehension or prosecution of offenders;
(iii) the administration of justice,
(iv) the operation of the immigration controls excluding ECL,
(V) the maintenance of security and good order in prisons or in other institutions
where persons are lawfully detained, and
(vi) any civil proceedings which are brought by or on behalf of a public body or
arise out of an investigation conducted,
k) the exemptions set out in section 16 of this Act shall cease to apply after every twenty
years and that record of public bodies shall be made public.”

87 |
 Element 6:
7
Monitoring
An SAI should establish a monitoring process designed to provide it with reasonable
assurance that the policies and procedures relating to the system of quality control
are relevant and adequate and are operating effectively. The monitoring process
should:
a) include an ongoing consideration and evaluation of the SAl’s system of quality
control, including a review of a sample of completed work across the range of
work carried out by the SAI;
b) require responsibility for the monitoring process to be assigned to an
individual or individuals with sufficient and appropriate experience and
authority in the SAI to assume that responsibility; and
c) require that those carrying out the review are independent (i.e. they have not
taken part in the work or any quality control review of the work.)
(ISSAI 140, key principle, page 21)

The DAGP should establish a monitoring process designed to provide it with

reasonable assurance that the policies and procedures relating to the system of
quality control are relevant, adequate and operating effectively. This process shall:
a) include an ongoing consideration and evaluation of the DAGP’s system of
quality control on a cyclical basis;
b) require responsibility for the monitoring process to be assigned to a suitable
person or persons with sufficient and appropriate experience and authority in
the DAGP to assume that responsibility; and
c) require that those performing the engagement or the engagement quality
control review are not involved in inspecting the engagements.

88 |
7.1. Index for Implications
As discussed in Section 1.6.3, quality control or quality assurance implications may arise to
impact the quality control or quality assurance systems of the DAGP (a summary of which is
available in Annexure E “Summary of Quality Control / Assurance Implications”); hence, the
index below has been developed to provide guidance regarding where details of the major
implications, relevant to this chapter, may be found. However, to truly understand and apply
ISSAI 140 in the work of the DAGP, it is strongly recommended to read the chapter in order.

ISSAI 140 Implication on DAGP Mechanism Aligning DAGP with Section

ISSAI 140 No.
The DAGP should ensure that their Quality assurance mechanism in the form 8-9
quality control system includes of FAO inspections, quality assurance
independent monitoring of the range of reports, External QAC mechanism and
controls within the SAI (using personnel cold - file quality assurance reviews.
not involved in carrying out the work).
The DAGP should ensure that their Details of the Post-audit Quality Assurance 10
quality assurance activities in the field are Mapping Plan.
carefully planned.
The DGs of each FAO should certify that The Internal QAC mechanism. 11
the audit reports produced under them
have undertaken the quality control
system of the DAGP appropriately.
The DAGP should monitor the status of Submitting key monitoring reports of the 12
audits against their audit plans and inform DAGP, for both quality control and quality
leadership of key matters in a timely assurance, to leadership in a timely
manner. manner.
The DAGP should allow audited entities Toll-free hotline, complaint management 15
and other stakeholders to formally systems and documenting complaints.
compile complaints against any staff of
the DAGP.
The DAGP should establish policies and The use of peer reviews to evaluate the 20
procedures in place to carry out DAGP’s performance against international
independent reviews of the overall system benchmarks.
of quality control.

89 |
7.2. Quality Assurance
SAIs should ensure that their quality control system includes independent
monitoring of the range of controls within the SAI (using personnel not involved in
carrying out the work). (ISSAI 140 element 6 section 1, page 22)

1. Quality assurance is a periodic evaluation of the audit process. It is a monitoring process

designed to provide the DAGP with reasonable assurance that the policies and
procedures relating to the system of quality control are relevant, adequate and are
operating effectively. Quality assurance should be carried out by individuals who are
independent, i.e. have not taken part in the audit process they are reviewing.
2. Maintenance of high quality work should be a basic operating principle of the DAGP.
Quality involves every aspect of the operations including its leadership, focus on client
needs, management of personnel, audit practices and other processes. Quality requires
a commitment from every staff of the DAGP to strive for continuous improvement.
3. A critical feature of DAGP’s quality management system should be the process for
measuring how well the DAGP is achieving its goals; specially, whether the AQMF is
appropriately designed and operating effectively. This is achieved through a variety of
review mechanisms.
7.2.1. The Role of QAI&M Wing
4. To ensure quality of performance, additional to the review of audit activity by personnel
having line responsibility for the audits concerned, an external review should be
performed by an independent wing of the DAGP.
5. This activity is performed to assist the DAGP to achieve effective management of its
own operations and sustain the quality of its performance and also to ensure that various
field units within the DAGP are functioning efficiently and maintaining quality and
timeliness in service delivery. This activity shall provide independent assurance of audit
quality to management, and those who rely on the work of the audit activity. Persons
who are involved in performing the review should be qualified, independent, and shall
not have any real or apparent conflict of interest.
6. For this purpose, the AGP has established a quality assurance wing called QAI&M Wing,
which is an independent wing with the mandate (refer to Annexure B “QAI&M Mandate”)
to act as an independent caretaker of the quality control system and to ensure
compliance with the internal control policies and procedures within DAGP and to derive
assurance that the quality control procedures are working effectively. QAI&M Wing shall
be headed by a DAG that reports directly to the AGP. The staff of QAI&M Wing shall not
be involved in the audit work performed by the FAOs and shall independently assess
and monitor the work of auditors as well as the controls in place in their office.
7. DAGP should ensure that experienced personnel are posted in QAI&M Wing and given
sufficient authority and independence to carry out the mandate. The staff of QAI&M Wing
should individually as well as collectively possess the knowledge, skills, and other
competencies needed to perform their responsibilities. QAI&M Wing may work with the
Administration & Coordination Wing to ensure their resources are aligned in this regard.

90 |
8. QAI&M Wing is the primary hub through which quality assurance activities are carried
out. These activities should entail quality assurance & administrative inspections of each
FAO, QAC meetings and quality assurance reviews of a sample of audits.

Quality Assurance Implications (QAI&M)

FAO inspections are conducted by sending inspection teams from QAI&M Wing to
each FAO on an annual basis. It is important that these are conducted by teams from
QAI&M Wing so that the work of the audit teams and the review performed by the EQCR
can be evaluated in an objective manner. The activities that should be performed are as
follows:
• Administrative Inspections: This activity should primarily cover compliance of the
overall audit plan of respective FAOs along with the verification of authorised
budgets (on a sample basis) allocated to each FAO for various audit activities over
the financial year. The team should inspect relevant records, including vouchers
and registers, to align activities with the FAO’s overall audit plan. This compliance
review with the overall audit plan does not include ascertaining performance while
carrying out individual audits. In addition, the team should assess the internal
control environment of the FAO, and any monetary impact because of weak
internal controls is highlighted. In summary, the primary focal areas for the report
should be (a) budget utilization (b) staff utilization as per audit plan (c) internal
control assessments. Sufficient time should be allocated for the thorough
performance of review procedures, which should follow a standard work
programme.
Although the primary focus of these inspections is on compliance with each FAO’s
overall audit plan rather than its performance while carrying out individual audits,
it still contributes to audit quality as it provides corroborative evidence through
budget and staff utilization for conducting the audits by FAOs.
These administrative inspections are carried out throughout the year and cover all
FAOs. An Administrative Inspection Report should be reviewed by senior
personnel of QAI&M Wing and then shared with the respective FAO for
management responses. After consideration of management comments, DAG
(QAI&M) should review prior to submitting to AGP for approval.
• Cold-file Quality Assurance Review: This activity is a cold file review of audits
already completed and available for public perusal, and it should be conducted on
an interval set by QAI&M Wing. The activity should be conducted for at least a
single audit of every FAO for an interval of at least three years. These reviews are
known as cold file reviews and are meant to ensure that the audits have been
completed in accordance with the DAGP’s procedures and with applicable
INTOSAI standards; in addition, the reviews should ensure that an appropriate
audit opinion was given and that PAC directives were appropriately addressed.
Refer to Annexure G.1.2 “Cold File Quality Assurance Review of Audit” for the
template that may be used for conducting cold file reviews.
• Post-Audit Quality Assurance Review: This activity is the performance of a quality
assurance review at the end of an audit to check completeness of all quality control
requirements for an effective and efficient audit. This activity should be conducted

91 |
 by the inspection teams sent by QAI&M Wing who should also perform the
aforementioned administrative inspection. This will allow for an independent
assessment of the audit and the effectiveness of quality control procedures in
place. This quality assurance should review the entire audit cycle of every audit
performed by the FAO and should follow the template prescribed in Annexure
G.1.1 “Post-Audit Quality Assurance Checklist”. If the timing of inspection is at
such a time that an audit of an audited entity is not complete, the previous year’s
audit of the audited entity should undergo the quality assurance review instead.
Alongside the post-audit quality assurance checklist, the teams from QAI&M Wing
should populate additional templates to support the quality assurance activity.
These templates include the following:
i) Annexure G.1.3: Summary of Quality Assurance Review Observations -
Prepared to identify quality assurance review observations with the inclusion
of FAO responses.
ii) Annexure G.1.4: Summary Review Memorandum - Highlights only medium
and high risk observations and the action plan / recommendations needed to
counteract them.
iii) Annexure G.1.5: Follow-up Continuity Schedule - Prepared to check
progress on each action plan / recommendation agreed by management for
the previous post-audit quality assurance review.
On the basis of these templates, including the post-audit quality assurance
checklist, DAGP should produce post-audit quality assurance reports to inform
senior management and leadership of findings in a structured manner. This
activity, described below in Section 9, should be conducted centrally at QAI&M
Wing after the completion of fieldwork.

9. Quality assurance reviews of the audit cycle are conducted by selecting a report from
an FAO and undertaking a review of their respective audit cycle, from planning,
execution to completion. As per GUID 3910 Section 10738, “A quality assurance process
allows audits to be independently assessed after their completion on a consistent basis
against specific criteria. The main purpose of such a process is to monitor the DAGP’s
quality control system as designed and assess if the appropriate controls are in place
and are working appropriately. Undertaking a quality control process would be step one
that the quality assurance process would review and the DAGP can develop the criteria
based on its particular circumstances, with examples of criteria-based questions
including:
• To what extent does the report clearly describe the context within which the area
examined is carried out?
• To what extent is the report well-structured and well written, and does it include an
effective executive summary?
• To what extent is the rationale for the scope clearly set out?
• Is the audit methodology clearly set out?

38
www.issai.org/wp-content/uploads/2019/08/GUID-3910-Central-Concepts-for-Performance-Auditing.pdf

92 |
 • To what extent were the report’s findings, conclusions and recommendations
balanced, logical, consistent and supported by the evidence quoted?
• To what extent has the audit been successful in concluding against its objectives
and providing useful information to help improve public services?
• To what extent is there sufficient documentation on team competencies, audit
procedures carried out, evidence to support findings, consultations done, and
treatment of comments received, and supervision?”

Quality Assurance Implications (QAI&M)

The particular quality assurance activities that should be performed centrally from
QAI&M Wing are as follows:
• Quality Assurance Reports: On the basis of the findings and information gathered
during the post-audit quality assurance performed by teams sent by QAI&M Wing,
Quality Assurance Reports should be prepared. The following templates should
provide guidance in this regard:
i) Annexure G.2.1: Report on Post-Audit Quality Assurance – This report
should be prepared by the Deputy Director (QAI&M) with the purpose of
providing an executive summary; the context of the audited entity and FAO;
the types of assignments subjected to the post-audit quality assurance review;
the objective, scope and methodology of the post-audit quality assurance
review; the findings of the Director during their reviews; the findings of the
team during the quality assurance review (Annexure G.1.3 & G.1.4) and the
previous post-audit quality assurance review report’s follow-up (Annexure
G.1.5).
ii) Annexure G.2.2: Annual Report on Post-Audit Quality Assurance - This
report should be prepared by the Director (QAI&M) with the purpose of
providing an executive summary; the objective, scope and methodology of the
post-audit quality assurance review; the name and number of FAOs along with
audit assignments reviewed; the summarized findings of the post-audit quality
assurance review with descriptions of areas that need improvements as well
as the corrective measures needed to address them and, finally, the follow-up
of previous reports. The annual report will combine all post-audit quality
assurance reports for the approval of the AGP.
• External QAC: This activity is the final quality assurance review to be performed
on all audit reports produced under the DAGs, by their respective FAOs, in the
country through a committee established at QAI&M Wing. The review should be
performed on the audit report, utilizing the various quality control and assurance
reports produced. Any findings of these reports should be discussed to obtain
follow-ups. On the basis of the review, QAI&M Wing should allocate marks
according to the level of quality determined of the audit report in question. Refer
to Annexure G.2.3 “QAC Meeting on the Audit Report (Financial Audits)” or
Annexure G.2.4 “QAC meeting on the Audit Report (Other Audits)” for the template
and grading mechanism to be used when conducting External QAC.

93 |
 This activity should be wholly performed by QAI&M Wing, and meetings should be
chaired by DAG (QAI&M) and attended by, at the minimum, DG (QAI&M), Director
(QAI&M) and representatives of the concerned FAO, including the respective DG,
Director and DD, so as to attain their feedback. Minutes of the meetings should be
prepared by QAI&M Wing to document their findings during the review, the
response obtained and the way forward in order to address the identified issues.
After rectification of issues (as identified through External QAC) by respective
FAOs, the updated report is resubmitted for another round of review by QAI&M
Wing. Updated reports are then formally submitted to AGP for approval and then
further submitted to the PAC, either through the President of Pakistan (for federal
level reports) or through the governor of the respective province.
Since this activity is strictly time-bound, QAI&M Wing should consider reallocating
senior members of inspection teams to assist in the review for the time period
during which External QAC meetings are to be conducted. The External QAC
should be performed according to a plan that respects deadlines of submitting the
audit reports to the PAC. Accordingly, the reviews should be completed latest by:
a. Phase 1 reports (comprised of financial attestation audit reports and some FAP
audit reports): 15-31 December.
b. Phase 1 reports (comprised of compliance audit reports): 14-28 February.
c. Phase 2 reports (comprised of all other reports): 15-30 September.

10. To be able to carry out the aforementioned quality assurance activities effectively, a
thorough planning process should be undertaken in order to ensure that QAI&M teams
may carry out their duties in an efficient, economic and effective manner.

Quality Assurance Implications (QAI&M)

As these quality assurance activities are intended to cover all FAOs with the post audit
quality assurance covering every audit performed, it is important that such activities be
made feasible through thorough planning. To be able to plan effectively, QAI&M Wing is
encouraged to obtain relevant data from FAOs, including the status of audits as per the
FAO’s audit plan (the latest compiled version of Annexure F.3.3 Monthly Status Report
of Audit Plan may be obtained), during the planning stage for fieldwork. A quality
assurance fieldwork plan should be prepared to allocate and match resources.
For post-audit quality assurance, it is important to identify the status of completed and
pending audits. If an audit is still pending, the field team should perform the post-audit
quality assurance on the previous year’s audit and document the fact. For a template in
this regard, refer to Annexure G.1.6 Post-audit Quality Assurance Mapping Plan.

7.2.2. Internal Quality Assurance

11. Prior to the External QAC, an internal quality assurance mechanism should be in place
and performed by the respective DAG, which shall undertake quality assurance reviews
of all reports developed by FAOs under the jurisdiction of the respective DAG. The
mechanism established by the DAG should be in the form of a committee to undertake
quality assurance reviews of the audit report and supporting files developed by the FAOs
falling under said jurisdiction.

94 |
 Quality Control Implications (HO-Level)

With each DAG establishing this mechanism in the form of an Internal QAC, each report
should have undertaken an internal quality assurance review prior to the External QAC
meeting. It is recommended for the Internal QAC meetings to follow the same manner
of review as External QAC meetings, i.e. the same templates should be considered,
which would provide an idea as to how well the report will score under a review from the
External QAC.
Meetings should be chaired by the DAG and attended by the DG (presenting report),
Director from the DAG office, Director from the respective FAO, DD from the respective
FAO and the EQCR from the respective FAO as well as at least two AOs of the FAO
responsible for preparing the audit report so as to attain their feedback, if required.
Minutes of the meetings should be prepared to document the findings of the internal
QAC, the response obtained and the way forward in order to address the identified
issues. To signify the conclusion of the internal QAC, a certificate should be prepared to
attest that an internal QAC was satisfactorily completed and the level of quality of the
audit report was considered acceptable, which should be attached alongside the internal
QAC report and minutes of the meetings. Refer to Annexure F.3.7 “Certificate of Quality
for the Audit Report (Financial Audit)” or Annexure F.3.8 “Certificate of Quality for the
Audit Report (Other Audits)” for a template of the mechanism. Afterwards, the audit
report is ready for the External QAC and should be sent to QAI&M Wing alongside the
aforementioned attachments.
The timing of Internal QAC should respect the timelines of submitting audit reports to
the PAC, and should be conducted prior to External QAC, allowing for sufficient time for
the External QAC to conduct its review. Directives from the External QAC should be
followed and the updated audit report should be submitted to QAI&M once more along
with a certificate stating all the errors/omissions pointed out by External QAC have been
rectified and all agreed recommendations for improvements have been incorporated in
the updated draft audit report. Refer to Annexure F.3.9 “Certificate of Quality for the
Updated Audit Report after QAC (All Audits)” for the template of this certificate. Finally,
the updated audit report shall then be formally submitted to AGP for approval with a
certificate attesting that the audit report is of acceptable quality. Refer to Annexure
F.3.10 “Certificate of Quality for the Printed Audit Report (All Audits)” for the template of
this certificate.
The Internal QAC lacks the independence required in a truly effective quality assurance
mechanism; therefore, this activity should be considered a supporting activity for the
External QAC mechanism and a means for certifying that the audit report in
consideration has been reviewed and considered to be an acceptable level of quality by
those who produced it.

95 |
7.3. Communicating Results of Monitoring
SAls should ensure the results of the monitoring of the system of quality control are
reported to the Head of the SAI in a timely manner, to enable the Head of the SAI to
take appropriate action. (ISSAI 140 element 6 section 3, page 22)

12. Systems of quality control have been described throughout this document related to
monitoring progress of the audit. These include supervision & review (Sections 25 – 33,
Element 5 “Performance of Audit and Other Work”), quality control reports (Sections 11
& 41, Element 5 “Performance of Audit and Other Work”) and quality assurance
(Sections 8 - 11 of this Element). It is imperative that these systems report crucial
findings to the appropriate levels of management within the DAGP and to its head, the
AGP.

Quality Control Implications (FAO-Level)

During the audit, monitoring reports should be prepared, informing appropriate

management levels within the DAGP of the status of the audit cycle (such as Annexure
F.3.3 Monthly Status Report of Audit Plan). DG of the respective FAO should ensure
that monitoring status reports be prepared at fixed, regular intervals during the
formulation of the audit plan and reported to the DAG, informing them of the status of
the audit plans. A summary report of all audit plans being prepared under the DAG
should be presented to the AGP, informing him of any key matters.
At the end of a quarter, a summary report detailing planned vs actual audit activities
should be prepared and submitted to the DAG and onwards to the AGP. Reasons for
any deviations from approved audit plan are adequately explained. This can be
supported by Administrative Inspections (refer to Section 8 of this Element for further
details) performed by QAI&M Wing inspection teams, who shall also produce reports
that shall be available for the AGP to review.
Section 11, Element 5 “Performance of Audits and Other Work” describes several of the
quality control templates to be used during the planning stage (Annexures F.2.1 -
Annexure F.2.6), which should be used to assist in monitoring the system of quality
control. These templates stipulate the appropriate approval and management level for
the information.

Quality Assurance Implications (QAI&M)

In addition to the above reports, quality assurance reports should also be prepared in a
timely manner and should inform the AGP of key matters. The quality assurance
templates (Annexures G.1.1 - G.2.5) include the appropriate approval and management
level within them. As stated in Section 9 of this Element, an Annual Report on Quality
Assurance Review (Annexure G.2.2) should be prepared for the AGP. The report should
be able to provide the AGP insights into the effectiveness of the quality control system
in place in the DAGP.

13. Aside from the monitoring reports of audits, there should also be a mechanism to monitor
progress against the strategic plans of the DAGP. These plans should include an

96 |
 implementation matrix and annual operational plans with monitoring reports prepared
against them to inform the AGP of progress towards their envisioned strategy. These
monitoring reports should be produced in a timely manner and according to the timelines
stipulated in the implementation matrix of the plan. Refer to Section 18 Element 1
“Leadership” for details regarding the implementation of the strategic plan.

97 |
7.4. Feedback
SAls should have procedures for dealing with complaints or allegations about the
quality of work performed by the SAI. (ISSAI 140 element 6 section 6, page 22)
SAls should consider whether there are any legislative or other requirements to make
monitoring reports public or to respond to public complaints or allegations related
to the work carried out by the SAI. (ISSAI 140 element 6 section 7, page 22)

14. Complaints, allegations and feedback are a crucial aspect and testament to the quality
control system in place at the DAGP. Without them, improvements are seldom able to
be performed. There are two types of complaint that need to be considered. Firstly,
complaints that the SAI has failed to comply with professional standards and regulatory
and legal requirements and secondly allegations of non-compliance with the SAI’s
system of quality control.
15. The DAGP should follow an established policy for obtaining and compiling complaints
levied against the DAGP as well as the means to tackle them.

Quality Control Implications (HO-Level)

A mechanism should be developed at the HO level to receive, document and monitor

such complaints. The mechanism should enable Audited Entities to formally compile a
complaint against any staff within the DAGP. All complaints and their responses should
be documented.
Quality Control Implications (FAO-Level)

When performing an audit of an audited entity, field audit teams should make a toll-free
hotline number be known. This number should lead directly to the respective ethics
committee held at the HO-Level, chaired by the concerned DAG, allowing users of the
number to levy a complaint anonymously. Refer to Section 16, Element 2 “Ethics” for
details regarding this function.
Within the quality control system of the FAO, a complaint management register or
equivalent system should be maintained, compiling all relevant complaints and updating
their status at fixed regular intervals, obtaining updates from personnel as required.
Designated staff monitoring such complaints should also manage complaints identified
by the Pakistan Citizen Portal mechanism, which may contain complaints against the
DAGP or against an audited entity relevant to the FAO. In the case of the former, the
complaints should be forwarded to the appropriate management level and follow-ups
should be attained, whether or not the complaint is deemed to be actionable. In the case
of the latter, the FAO should assess the complaint and consider it their risk assessment
procedures if appropriate.

16. The DAGP should follow an established policy for disclosing information related to
complaints, while respecting confidentiality. Refer to Sections 65, Element 5
“Performance of Audit and Other Works” for further information in this regard.

98 |
7.5. Independent Reviews
Where appropriate, SAIs should consider engaging another SAI, or other suitable
body, to carry out an independent review of the overall system of quality control
(such as a peer review). (ISSAI 140 element 6 section 4, page 22)
Where appropriate, SAls may consider other means of monitoring the quality of their
work, which may include, but not be limited to:
• independent academic review;
• stakeholder surveys;
• follow-up reviews of recommendations; or
• feedback from audited organisations (e.g. client surveys). (ISSAI 140 element 6
section 5, page 22)

17. The DAGP should establish policies and procedures in place to carry out independent
reviews of the overall system of quality control. The policy should establish the means
to perform various types of independent assessments of the quality of the DAGP’s work,
including, but not limited to, independent academic reviews, peer reviews from other
SAIs and stakeholder / client surveys.
18. QAI&M Wing should consider carrying out strategic assessments so as to determine
when it would be suitable to conduct one of the aforementioned activities. When doing
so, they should act as the focal person of the activity.
19. When an independent peer review is conducted on the DAGP, QAI&M Wing should
facilitate their activities and utilize their independence to assess the effectiveness of
systems of quality control as well as the implementation of established quality control
policies and procedures. As per INTOSAI P-20 Principle 939, “SAIs should publicly report
the results of peer reviews and independent external assessments.”
20. The benefit of a peer review, carried out by members of other national SAIs, is that the
members will clearly understand the role and responsibilities of the DAGP, while at the
same time they will have the distance from the DAGP to allow their assessment to be
independent. Using such a review provides an opportunity for the DAGP to demonstrate
its accountability to stakeholders, understanding that the main reason for quality
assurance is to improve audits, the audit process and the system of quality control. The
AGP can use the results of quality assurance reviews by circulating good examples of
audit reports within the DAGP for the benefit of all auditors. Where audit reports are
found to need strengthening, senior staff members should assess the quality control
system to identify which controls might need strengthening to produce audit reports that
meet the standards of the DAGP and work with the audit teams to identify lessons
learned and possibilities for training, mentoring and coaching in specific areas.

39
www.intosai.org/fileadmin/downloads/documents/open_access/INT_P_11_to_P_99/INTOSAI_P_20/INTOSAI_P_20_en.pdf

99 |
 Quality Assurance Implications (QAI&M)

SAIs conducting international peer reviews are currently using the IDI SAI PMF40 for
SAIs to assess the performance of the institutions they are performing peer reviews
upon. As per the IDI Strategic Management Handbook Chapter 4 Page 541, “Generally,
it is recommended to do an SAI PMF assessment every five years”. The AQMF provides
significant guidance regarding peer reviews and provides a grading criterion that takes
into account the application of applicable international standards and better practices for
SAIs.
QAI&M Wing should consider applying the IDI SAI PMF40 when conducting their post-
audit quality assurance activities and should design training courses around the AQMF
to build the capacity of its staff in this regard. This shall enable them to perform their
quality assurance activities to greater effect; in addition, by understanding the criteria
measured by the AQMF, QAI&M Wing should be able to ensure that the DAGP scores
highly during an independent peer review as long as its directives are implemented
satisfactorily.

If work is contracted out, SAIs should seek confirmation that the contracted firms
have effective systems of quality control in place. (ISSAI 140 element 6 section 2,
page 22)

21. Should the DAGP require the assistance of outside expertise, it should partake in the
procurement process and seek confirmation that the contracted firm have effective
systems of quality control in place. Doing so shall ensure that they are able to trust that
the work performed by the contracted third party is reliable, and decisions may be taken
on the basis of them.
22. The DAGP should take responsibility in ensuring that bidding firms have the required
level of expertise and follow the appropriate applicable standards. For further information
regarding the contracting of outside experts refer to Sections 17 - 20, Element 5
“Performance of Audit and Other Work”.

40
www.idi.no/elibrary/well-governed-sais/sai-pmf/426-sai-pmf-2016-english/file
41
www.idi.no/elibrary/well-governed-sais/strategy-performance-measurement-reporting/1139-sai-strategic-management-
handbook-version-1/file

100 |
 Annexures
8

101 |
► Annexure A: ISSAI 140

► Annexure B: QAI&M Mandate

► Annexure C: Quality Control & Assurance Key

Tasks and Responsibilities for DAGP staff

► Annexure D: Terms of References for Ethics

Committees

► Annexure E: Summary of Quality Control /

Assurance Implications

► Annexure F: Templates for Quality Control

► Annexure G: Templates for Quality Assurance

 ISSAI 140

Quality Control for SAIs

INTOSAI Standards are issued

by the International
Organisation of Supreme Audit
Institutions, INTOSAI, as part of
the INTOSAI Framework of
Professional Pronouncements.
For more information visit
INTOSAI www.issai.org
 INTOSAI

INTOSAI, 2019
1) Formerly known as ISSAI 40
2) Endorsed in 2010
3) With the establishment of the Intosai Framework of Professional
Pronouncements (IFPP), relabeled as ISSAI 140 with editorial changes in 2019

ISSAI 140 is available in all INTOSAI official languages: Arabic, English, French,
German and Spanish
TABLE OF CONTENTS

1. INTRODUCTION 4

2. SCOPE OF ISSAI 140 5

3. OVERVIEW OF ISQC-1 7

4. WHAT IS A SYSTEM OF QUALITY CONTROL? 8

5. STRUCTURE OF ISSAI 140 10

6. FRAMEWORK FOR AN SAI’S SYSTEM OF QUALITY CONTROL 11

Element 1: Leadership responsibilities for quality

within the SAI 11

Element 2: Relevant ethical requirements 13

Element 3: Acceptance and continuance 15

Element 4: Human resources 17

Element 5: Performance of audits and other work 19

Element 6: Monitoring 21

7. INTERPRETATION OF TERMS 23
1 INTRODUCTION

The purpose of ISSAI 140 - Quality control for SAIs is to assist SAls to establish and
maintain an appropriate system of quality control which covers all of their work. This
document should help SAls design a system of quality control which is appropriate
to their mandate and circumstances and which responds to their risks to quality.

A major challenge facing all SAls is to consistently deliver high quality audits and
other work. The quality of work performed by SAls affects their reputation and
credibility, and ultimately their ability to fulfil their mandate.

For a system of quality control to be effective, it needs to be part of each SAI’s

strategy, culture, and policies and procedures as outlined in this guidance. In this way,
quality is built into the performance of the work of each SAI and the production of
the SAI’s reports, rather than being an additional process once a report is produced.

This document is an integral part of the International Standards of Supreme Audit

Institutions (ISSAIs). The principles and application guidance within this ISSAI is
intended to be used in conjunction with other ISSAIs.

Each SAI is best equipped to decide how to implement ISSAI 140 given its own
mandate and structure, its risks and the nature of work it performs.

4
2 SCOPE OF ISSAI 140

ISSAI 140 is based on the key principles in the International Standard on Quality
Control, ISQC 1’, adapted as necessary to apply to SAIs. Although ISQC-11 includes
some matters specific to public sector audit organisations and in many respects is
appropriate to SAIs, the key principles require some interpretation to enable them
to be applied by SAIs. ISSAI 140 reflects the mandate of SAIs, which is often wider
than that of a professional audit and assurance firm. ISSAI 140 provides principles
and application guidance to assist SAIs in applying the key principles of ISQC-1 to
the full range of their work, as appropriate to their mandate and circumstances.
This document outlines quality control measures that are relevant to achieving high
quality in the public sector environment.

Although the general purpose and key principles of ISSAI 140 are consistent with
ISQC-1, the requirements of this ISSAI have been adapted to ensure they are
relevant to SAIs. Therefore, the requirements are not identical to the requirements
of ISQC-1

By recognising and drawing on the key principles in ISQC-1, ISSAI 140 establishes an
overall framework for quality control in SAIs. This framework is designed to apply
to the system of quality control for all the work carried out by SAls, (i.e. financial
audits, compliance audits, performance audits and any other work carried out by
an SAI).

1 ISQC 1, Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and other Assurance
and Related Services Engagements, International Federation of Accountants (IFAC).

5
ISSAI 140 - QUALITY CONTROL FOR SAIS

ISSAI 140 focuses on the organisational aspects of audit quality operating

throughout SAIs. ISSAI 140 also provides a framework that complements other
INTOSAI pronouncements, including those for quality control at an individual
engagement level (e.g. an individual financial audit, compliance audit, performance
audit or any other work carried out by an SAI.)

Standards and guidance on quality control at an individual engagement level can be

found:
• Financial Audit; see ISSAI 2220 and ISSAI 2620 - provide requirements in
respect of quality control for financial audits.
• Performance Audit; see ISSAI 3000/79 - establishes the requirement and
GUID 3910/100-108 provides further guidance in respect of quality control
for performance audit
• Compliance Audit; see ISSAI 4000/80-88 - establishes requirements in
respect of quality control for compliance audits.

If an SAI wishes to assert that it is compliant with ISQC-1 (and with ISAs), it will
need to consider the requirements of ISQC-1. The requirements for applying ISAs are
described in the Financial Audit Standards.

ISQC-1 is available from IFAC.

Some terms used in ISQC-1 need interpreting for SAIs. These interpretations are set
out in section 7 of this document.

6
3 OVERVIEW OF ISQC-1

ISQC-1 deals with a firm’s responsibilities in relation to its system of quality control

for audits and reviews of financial statements and other assurance and related

services engagements.

ISQC-1 sets out that “the objective of the firm is to establish and maintain a system

of quality control to provide it with reasonable assurance that:

a) the firm and its personnel comply with professional standards and

applicable legal and regulatory requirements; and

b) reports issued by the firm or engagement partners, are appropriate in

the circumstances”2.

The framework in ISSAI 140 is intended to fulfil the same purpose in relation to

each SAI’s mandate and circumstances.

2 ISQC-1, para 11.

7
4 WHAT IS A SYSTEM OF
QUALITY CONTROL?

ISSAI 140 uses the elements of the quality control framework outlined in ISQC-1.
ISSAI 140 also considers the issues of particular relevance in the public sector audit
environment affecting an SAI’s system of quality control. ISQC-1 outlines the elements
of a system of quality control to be:

a) Leadership responsibilities for quality within the firm;

b) Relevant ethical requirements;

c) Acceptance and continuance of client relationships and specific

engagements;

d) Human resources;

e) Engagement performance; and

f) Monitoring.

In addition to the above elements, ISQC-1 notes the need to document the firm’s
quality control policies and procedures and communicate them to the firm’s
personnel.

The elements of a system of quality control contained in ISQC-1 are applicable to

the range of work carried out by SAls (which may be wider than the ISQC-1 term
‘engagements’). Therefore, the key principles in ISQC-1 should be considered by
SAls when designing their system of quality control.

As an overriding objective, each SAl should consider the risks to the quality of
its work and establish a system of quality control that is designed to adequately

8
ISSAI 140 - QUALITY CONTROL FOR SAIS

respond to these risks. The risks to quality will depend on the mandate and
functions of each SAI, and the conditions and environment under which it operates.
These risks may arise in many different aspects of an SAI’s work. For example, risks
to quality may arise in the application of professional judgement, the design and
implementation of policies and procedures, or in the methods used by SAls to
communicate the results of their work. Maintaining a system of quality control
requires ongoing monitoring and a commitment to continuous improvement.

9
5 STRUCTURE OF
ISSAI 140

Section 6 of ISSAI 140 is presented in the same way for each element identified in
ISQC-1 as follows:

• the key principle in ISQC-1;

• the key principle adapted for SAls;

• application guidance for SAIs.

10
6 FRAMEWORK FOR AN
SAI’S SYSTEM OF QUALITY
CONTROL

ELEMENT 1: LEADERSHIP RESPONSIBILITIES FOR QUALITY WITHIN

THE SAI

ISQC-1 Key Principle:

“The firm shall establish policies and procedures designed to promote an internal
culture recognizing that quality is essential in performing engagements. Such
policies and procedures shall require the firm’s Chief Executive Officer (or equivalent)
or, if appropriate, the firm’s managing board of partners (or equivalent) to assume
ultimate responsibility for the firm’s system of quality control”3

Key principle adapted for SAls

An SAI should establish policies and procedures designed to promote an
internal culture recognising that quality is essential in performing all of its
work. Such policies and procedures should be set by the Head of the SAI, who
retains overall responsibility for the system of quality control.

3 ISOC-1, para 18.

11
ISSAI 140 - QUALITY CONTROL FOR SAIS

APPLICATION GUIDANCE FOR SAIs

• The Head of the SAI may be an individual or a group depending on the

mandate and circumstances of the SAI.
• The Head of the SAI should take overall responsibility for the quality of all
work performed by the SAI.4
• The Head of the SAI may delegate authority for managing the SAI’s system
of quality control to a person or persons with sufficient and appropriate
experience to assume that role.
• SAls should strive to achieve a culture that recognises and rewards high
quality work throughout the SAI. To achieve that culture the Head of the SAI
should set the right “tone at the top”5 which emphasises the importance
of quality in all of the work of the SAI, including work which is contracted
out. Such a culture also depends on clear, consistent and frequent actions
from all levels of the SAI’s management that emphasise the importance
of quality.
• The strategy of each SAI should recognise an overriding requirement for
the SAI to achieve quality in all of its work so that political, economic or
other considerations do not compromise the quality of work performed.
• SAls should ensure that quality control policies and procedures are clearly
communicated to SAI personnel and to any parties contracted to carry out
work for the SAI.
• SAls should ensure that sufficient resources are available to maintain the
system of quality control within the SAI.
• The strategy of each SAI should recognise an overriding requirement for
the SAI to achieve.

4 Consistent with INTOSAI-P 20 Principles of transparency and accountability, Principle 5.

5 Tone at the Top and Audit Quality — Transnational Auditors Committee, Forum of Firms,
International Federation of Accountants (December 2007) — www.ifac.org

12
ISSAI 140 - QUALITY CONTROL FOR SAIS

ELEMENT 2: RELEVANT ETHICAL REQUIREMENTS

ISQC- 1 Key Principle:

“The firm shall establish policies and procedures designed to provide it with
reasonable assurance that the firm and its personnel comply with relevant ethical
requirements”6

Key principle adapted for SAls

An SAI should establish policies and procedures designed to provide it with
reasonable assurance that the SAI, including all personnel and any parties
contracted to carry out work for the SAI, comply with relevant ethical
requirements.

APPLICATION GUIDANCE FOR SAIs

• SAls should emphasise the importance of meeting relevant ethical

requirements in carrying out their work.
• All SAI personnel and any parties contracted to carry out work for the SAI
should demonstrate appropriate ethical behaviour.
• The Head of the SAI and senior personnel within the SAI should serve as
an example of appropriate ethical behaviour.
• The relevant ethical requirements should include any requirements set out
in the legal and regulatory framework governing the operations of the SAI.
• Ethical requirements for SAIs may include or draw on the INTOSAI ISSAI
130 - Code of Ethics and the IFAC ethical requirements, as appropriate
to its mandate and circumstances and to the circumstances of their
professional staff.
• SAls should ensure policies and procedures are in place in line with ISSAI
130, i.e.:
6 ISQC-1, para 20.

13
ISSAI 140 - QUALITY CONTROL FOR SAIS

- integrity;
- independence, objectivity and impartiality;
- professional secrecy; and
- competence.
• SAIs should ensure that any parties contracted to carry out work for the
SAI are subject to appropriate confidentiality agreements.
• SAls should consider the use of written declarations from personnel to
confirm compliance with the SAI’s ethical requirements.
• SAls should ensure policies and procedures are in place to notify the Head
of the SAI in a timely manner of breaches of ethical requirements and
enable the Head of the SAI to take appropriate action to resolve such
matters.
• SAIs should ensure appropriate policies and procedures are in place to
maintain independence of the Head of the SAI, all personnel and any
parties contracted to carry out work for the SAI.

(For more information on independence of SAls, refer to INTOSAI-P 10 Mexico

Declaration on SAl Independence and GUID 9030 Good Practices Related to SAl
Independence).
• SAIs should ensure policies and procedures are in place that reinforce the
importance of rotating key audit personnel, where relevant, to reduce
the risk of familiarity with the organisation being audited. SAls may also
consider other measures to reduce the familiarity risk.

14
ISSAI 140 - QUALITY CONTROL FOR SAIS

ELEMENT 3: ACCEPTANCE AND CONTINUANCE

ISQC-1 Key Principle:

“The firm shall establish policies and procedures for the acceptance and continuance
of client relationships and specific engagements, designed to provide the firm with
reasonable assurance that it will only undertake or continue relationships and
engagements where the firm:
a) is competent to perform the engagement and has the capabilities,
including time and resources, to do so;
b) can comply with relevant ethical requirements; and
c) has considered the integrity of the client and does not have information
that would lead it to conclude that the client lacks integrity”.7

Key principle adapted for SAIs

An SAI should establish policies and procedures designed to provide the SAI with
reasonable assurance that it will only carry out audits and other work where the SAI:

a) is competent to perform the work and has the capabilities, including time
and resources, to do so;

b) can comply with relevant ethical requirements; and

c) has considered the integrity of the organisation being audited and has
considered how to treat the risk to quality that arises.

The policies and procedures should reflect the range of work carried out by each
SAI. In many cases SAls have little discretion about the work they carry out. SAIs
carry out work in three broad categories:

• Work that is required of them by their mandate and statute and

which they have no option but to carry out;

• Work that is required by their mandate, but where they have

discretion as to the timing, scope and/or nature of work;

• Work that they can choose to carry out.

7 1500-1, para 26.

15
ISSAI 140 - QUALITY CONTROL FOR SAIS

APPLICATION GUIDANCE FOR SAIs

• For all audits and other work carried out, SAIs should establish systems to
consider the risks to quality which arise from carrying out the work. These
will vary, depending on the type of work being considered.
• SAIs normally operate with limited resources. SAIs should consider their
work programme and whether they have the resources to deliver the
range of work to the desired level of quality. To achieve this, SAIs should
have a system to prioritise their work in a way that takes into account the
need to maintain quality. If resources are not sufficient and pose a risk to
quality, the SAI should have procedures to ensure that the lack of resource
is brought to the attention of the Head of the SAI and, where appropriate,
the legislature or budgetary authority.
• SAIs should assess if a material risk to their independence exists in
accordance with INTOSAI-P 10.
• Where such a risk is identified, the SAI should determine and document
how it plans to address this risk and ensure an approval process is in place
and is adequately documented.
• Where the integrity of the audited organisation is in doubt, the SAI should
consider and address the risks arising from the capability of staff, the
level of resources, and any ethical issues which might arise in the audited
organisation.
• SAls should consider procedures for acceptance and continuance of
discretionary work, including work which is contracted out. If the SAl
decides to carry out the work, the SAl should ensure the decision is
approved at the appropriate level within the SAI, and that the risks involved
are assessed and managed.
• SAls should ensure that their risk management procedures are adequate
to mitigate the risks of carrying out the work. The response to the risks
may include:
- carefully scoping the work to be performed;
- assigning more senior/experienced staff than would ordinarily be the
case; and

16
ISSAI 140 - QUALITY CONTROL FOR SAIS

- doing a more in depth engagement quality control review of the work

before a report is issued.
• SAls should consider disclosing in their reports any specific matters that
would ordinarily have led the SAl to not accept the audit or other work.

ELEMENT 4: HUMAN RESOURCES

ISQC-1 Key Principle:

“The firm shall establish policies and procedures designed to provide it with
reasonable assurance that it has sufficient personnel with the competence,
capabilities and commitment to ethical principles necessary to:

a) perform engagements in accordance with professional standards and

applicable legal and regulatory requirements; and

b) enable the firm or engagement partners to issue reports that are

appropriate in the circumstances”.8

APPLICATION GUIDANCE FOR SAIs

• SAls may draw on a number of different sources to ensure they have the
necessary skills and expertise to carry out the range of their work, whether
carried out by SAI personnel or contracted out.
• SAls should ensure that responsibility is clearly assigned for all work
carried out by the SAI.
• SAls should ensure that personnel, and parties contracted to carry out
work for the SAI (e.g. from chartered accountancy or consulting firms),
have the collective competencies required to carry out the work.
• SAls should recognise that in certain circumstances personnel and, where
relevant, any parties contracted to carry out work for the SAI, may have
personal obligations to comply with the requirements of professional
bodies in addition to the SAI’s requirements.

8 ISQC-1, pars 29

17
ISSAI 140 - QUALITY CONTROL FOR SAIS

• SAls should ensure that Human Resources policies and procedures give
appropriate emphasis to quality and commitment to the SAI’s ethical
principles. Such policies and procedures related to human resources include:
- recruitment (and the qualifications of recruited staff);
- performance evaluation;
- professional development;
- capabilities (including sufficient time to perform assignments to the
required quality standard);
- competence (including both ethical and technical competence);
- career development;
- promotion;
- compensation; and
- the estimation of personnel needs.
• SAls should promote learning and training for all staff to encourage their
professional development and to help ensure that personnel are trained
in current developments in the profession.
• SAIs should ensure that personnel and any parties contracted to carry out
work for the SAI have an appropriate understanding of the public sector
environment in which the SAI operates, and a good understanding of the
work they are required to carry out.
• SAls should ensure that quality and the SAI’s ethical principles are key
drivers of performance assessment of personnel and any parties contracted
to carry out work for the SAI.

18
ISSAI 140 - QUALITY CONTROL FOR SAIS

ELEMENT 5: PERFORMANCE OF AUDITS AND OTHER WORK

ISQC-1 Key Principle:

“The firm shall establish policies and procedures designed to provide it with reasonable
assurance that engagements are performed in accordance with professional
standards and applicable legal and regulatory requirements, and that the firm or the
engagement partner issue reports that are appropriate in the circumstances. Such
policies and procedures shall include:

a) matters relevant to promoting consistency in the quality of

engagement performance;

b) supervision responsibilities;

c) and review responsibilities”.9

APPLICATION GUIDANCE FOR SAIs

• SAIs should ensure appropriate policies, procedures and tools, such as

audit methodologies are in place for carrying out the range of work that is
the responsibility of the SAI, including work that is contracted out.10
• SAIs should establish policies and procedures that encourage high
quality and discourage or prevent low quality. This includes creating an
environment that is stimulating, encourages proper use of professional
judgement and promotes quality improvements. All work carried out
should be subject to review as a means of contributing to quality and
promoting learning and personnel development.
• Where difficult or contentious matters arise, SAIs should ensure that
appropriate resources (such as technical experts) are used to deal with
such matters.
• SAls should ensure that applicable standards are followed in all work
carried out, and if any requirement in a standard is not followed, SAls
should ensure the reasons are appropriately documented and approved.

9 1SQC-1, para 32.

10 Consistent with INTOSAI-P 20, Principle 3.

19
ISSAI 140 - QUALITY CONTROL FOR SAIS

• SAls should ensure that any differences of opinion within the SAI are
clearly documented and resolved before a report is issued by the SAI.
• SAls should ensure appropriate quality control policies and procedures are
in place (such as supervision and review responsibilities and engagement
quality control reviews) for all work carried out (including financial audits,
performance audits, and compliance audits). SAIs should recognise the
importance of engagement quality control reviews for their work and,
where an engagement quality control review is carried out, matters raised
should be satisfactorily resolved before a report is issued by the SAI.
• SAls should ensure that procedures are in place for authorising reports
to be issued. Some work of SAIs may have a high level of complexity and
importance that requires intensive quality control before a report is issued.
• If SAIs are subject to specific procedures relating to rules of evidence (such
as SAls with a judicial role), they should ensure that those procedures are
consistently followed.
• SAls should aim for timely completion of audits and all other work,
recognising that the value from the work of SAIs diminishes if the work is
not timely.
• SAls should ensure timely documentation (such as audit work papers) of
all work performed.
• SAIs should ensure that all documentation (such as audit work papers) is
the property of the SAI, regardless of whether the work has been carried
out by SAI personnel or contracted out.
• SAIs should ensure appropriate procedures are followed for verifying
findings to ensure those parties directly affected by the SAI’s work have
an opportunity to provide comments prior to the work being finalised,
regardless of whether or not a report is made publicly available by the SAI.
• SAIs should ensure that they retain all documentation for the periods
specified in laws, regulations, professional standards and guidelines.
• SAls should balance the confidentiality of documentation with the need
for transparency and accountability. SAls should establish transparent
procedures for dealing with information requests that are consistent with
legislation in their jurisdiction.

20
ISSAI 140 - QUALITY CONTROL FOR SAIS

ELEMENT 6: MONITORING

ISQC-1 Key Principle:

“The firm shall establish a monitoring process designed to provide it with reasonable
assurance that the policies and procedures relating to the system of quality control
are relevant, adequate and operating effectively. This process shall:

a) include an ongoing consideration and evaluation of the firm’s system of

quality control including, on a cyclical basis, inspection of at least one
completed engagement for each engagement partner;

b) require responsibility for the monitoring process to be assigned to a

partner or partners or other persons with sufficient and appropriate
experience and authority in the firm to assume that responsibility; and

c) require that those performing the engagement or the engagement

quality control review are not involved in inspecting the engagements”.11

Key principle adapted for SAIs

An SAI should establish a monitoring process designed to provide it with
reasonable assurance that the policies and procedures relating to the system
of quality control are relevant and adequate and are operating effectively. The
monitoring process should:

a) include an ongoing consideration and evaluation of the SAl’s system of

quality control, including a review of a sample of completed work across the
range of work carried out by the SAI;

b) require responsibility for the monitoring process to be assigned to an

individual or individuals with sufficient and appropriate experience and authority
in the SAI to assume that responsibility; and

c) require that those carrying out the review are independent (i.e. they have
not taken part in the work or any quality control review of the work.)

11 ISQC-1, para 48.

21
ISSAI 140 - QUALITY CONTROL FOR SAIS

APPLICATION GUIDANCE FOR SAIs

• SAIs should ensure that their quality control system includes independent
monitoring of the range of controls within the SAI (using personnel not
involved in carrying out the work).
• If work is contracted out, SAIs should seek confirmation that the contracted
firms have effective systems of quality control in place.
• SAls should ensure the results of the monitoring of the system of quality
control are reported to the Head of the SAI in a timely manner, to enable
the Head of the SAI to take appropriate action.
• Where appropriate, SAIs should consider engaging another SAI, or other
suitable body, to carry out an independent review of the overall system of
quality control (such as a peer review).12
• Where appropriate, SAls may consider other means of monitoring the
quality of their work, which may include, but not be limited to:
- independent academic review;
- stakeholder surveys;
- follow-up reviews of recommendations; or
- feedback from audited organisations (e.g. client surveys).
• SAls should have procedures for dealing with complaints or allegations
about the quality of work performed by the SAI.
• SAls should consider whether there are any legislative or other
requirements to make monitoring reports public or to respond to public
complaints or allegations related to the work carried out by the SAI.13

12 Consistent with INTOSAI-P 20, Principle 9.

13 Consistent with ISSAI 130 , para 11.

22
7 INTERPRETATION OF
TERMS

If an SAI wishes to assert that it is compliant with ISQC-1 (and with ISAs), it will need

to consider the requirements of ISQC-1 . ISQC-1 includes definitions of a number of

different terms. In applying ISSAI 140, the following terms used in ISQC-1 may be

understood as follows:

The term ‘firm’ refers to the SAI as a whole. Where the

Head of the SAI appoints an employee, a chartered
accountant or auditing partnership, or other suitably
qualified person to carry out audits or other work, the
‘Firm’
‘firm’ refers to the combination of the Head of the SAI,
the person appointed to carry out the audits or other
work and, if applicable, the firm of which the person
appointed is a partner, member or employee

The term ‘engagement’ refers to the work carried out

in exercising the functions of the SAI (for example, a
‘Engagement’
financial audit under the relevant jurisdiction of each
SAI.

23
ISSAI 140 - QUALITY CONTROL FOR SAIS

The term ‘engagement partner’ refers to the employee,

chartered accountant or other suitably qualified
‘Engagement person who is responsible for the work, and for the
partner’ report that is issued on behalf of the Head of the SAI,
in accordance with the policies and procedures of the
SAI

The term ‘client’ refers to the public entity or entities

‘Client’ subject to audit or other work by the SAI (e.g. the
audited organisation).

The guidance provided throughout this ISSAI is consistent with these terms.

24
► Annexure A: ISSAI 140

► Annexure B: QAI&M Mandate

► Annexure C: Quality Control & Assurance Key

Tasks and Responsibilities for DAGP staff

► Annexure D: Terms of References for Ethics

Committees

► Annexure E: Summary of Quality Control /

Assurance Implications

► Annexure F: Templates for Quality Control

► Annexure G: Templates for Quality Assurance

 ► Annexure A: ISSAI 140

► Annexure B: QAI&M Mandate

► Annexure C: Quality Control & Assurance

Key Tasks and Responsibilities for DAGP
staff

► Annexure D: Terms of References for

Ethics Committees

► Annexure E: Summary of Quality Control /

Assurance Implications

► Annexure F: Templates for Quality Control

► Annexure G: Templates for Quality

Assurance

104 |
Annexure C - Quality Control & Assurance Key Tasks and
Responsibilities for DAGP staff
As a result of the AQMF document, additional key tasks and responsibilities arise for DAGP
staff both at QAI&M (quality assurance) and FAOs (quality control). These additional tasks
that can be designated to a specific individual as per the DAGP’s current structure have been
described below.
Additional Key Tasks and Responsibilities at FAO-Level
Current key tasks pertaining to each phase of the audit cycle are stipulated in the Sectoral
Audit Guidelines (Sections 8.3 – 8.7). The table below describes any additional tasks and
responsibilities with respect to quality control measures at the FAO-Level arising as a result
of the AQMF document:

Designation Additional Key Tasks & Responsibilities

• Maintain the Risk Area Digest (RAD) of the Audited Entities that fall under their
jurisdiction (Annexure F.2.1).
Assistant • Prepare the Execution File: Significant Issues Identified during Execution
Audit Officer (Annexure F.3.2)
• Prepare the Staff Roster for Job Rotation (Annexure F.2.3).
• Prepare the Record of Consultation (Annexure F.3.6), if applicable.

• Review and approve the RAD maintained for Audited Entities (Annexure F.2.1).
AO / • Review the Execution File: Significant Issues Identified during Execution
Assistant (Annexure F.3.2).
Director • Review the Staff Roster for Job Rotation (Annexure F.2.3).
• Review the Record of Consultation (Annexure F.3.6), if applicable.

• Conduct supervisory visits according to the supervision plan.

• Approve the Staff Roster for Job Rotation (Annexure F.2.3).
• Prepare the Permanent & Planning File Updation Summary (Annexure F.2.4)
• Prepare the Report for Quality Control Review of Permanent & Planning Files
(Annexure F.2.5).
DD
• Approve the Execution File: Significant Issues Identified during Execution
(Annexure F.3.2).
• Prepare the Quality Control Review of Execution and Reporting Files (Annexure
F.3.1).
• Attend the External QAC meeting (Annexure G.2.3 & G.2.4).

• Prepare the Control Document for Code of Conduct Declaration (Annexure

F.1.2).
• Prepare Field Audit Instructions for audit teams prior to the commencement of
audits (Annexure F.2.2).
Director • Conduct supervisory visits according to the supervision plan.
• Review and approve the Permanent & Planning File Updation Summary
(Annexure F.2.4).
• Review the Report for Quality Control Review of Permanent & Planning Files
(Annexure F.2.5).

105 |
 • On the basis of the Report for Quality Control Review of Permanent & Planning
Files (Annexure F.2.5), prepare Summary of Quality Control Review of
Permanent & Planning Files (Annexure F.2.6).
• Review the Quality Control Review of Execution and Reporting Files (Annexure
F.3.1).
• On the basis of Quality Control Review of Execution and Reporting Files
(Annexure F.3.1), prepare the Summary of Quality Control Review of Audit
Execution and Reporting (Annexure F.3.4).
• Prepare the Monthly Status Report of Audit Plans (Annexure F.3.3).
• Attend the External QAC meeting (Annexure G.2.3 & G.2.4)

• Review the Control Document for Code of Conduct Declaration (Annexure

F.1.2).
• Designate supervisory officers for the supervisory plan in the Field Audit
Instructions (Annexure F.2.2).
• Review the Field Audit Instructions for audit teams prior to the commencement
of audits (Annexure F.2.2) and disseminate them to the teams upon approval.
• Review and approve supervisory visits conducted by DD and / or Director.
• Review the Summary of Quality Control Review of Permanent & Planning Files
(Annexure F.2.6) and forward to respective DAG for their approval.
DG • Review the Monthly Status Report of Audit Plans (Annexure F.3.3) and forward
to respective DAG for their approval.
• Review the Summary of Quality Control Review of Audit Execution and
Reporting (Annexure F.3.4) and forward to respective DAG for their approval.
• Approve the Record of Consultation (Annexure F.3.6) if applicable.
• Sign the Certificate of Quality for the Audit Report (Other Audits) (Annexure
F.3.7)
• Sign the Certificate of Quality for the Audit Report (Other Audits) (Annexure
F.3.8)
• Attend the External QAC meeting (Annexure G.2.3 & G.2.4)

• Approve the Control Document for Code of Conduct Declaration (Annexure

F.1.2) for their respective FAOs.
• Approve the Monthly Status Report of Audit Plans (Annexure F.3.3) for their
respective FAOs.
DAG • Approve the Summary of Quality Control Review of Permanent & Planning Files
(Annexure F.2.6) for their respective FAOs.
• Approve the Summary of Quality Control Review of Audit Execution and
Reporting (Annexure F.3.4) for their respective FAOs.
• Chair the Internal QAC meeting for their respective FAOs.
* These responsibilities should be added to already developed job descriptions of the concerned designation.

106 |
Responsibility matrix of the audit related forms to complete at the FAO-Level is as follows:
AO/
Asst. Direct
No. Tasks Asst. DD DG DAG
AO or
Dir
RAD
1 P R-A
(Annexure F.2.1)
Template for Field Audit
2 P R-A
Instructions (Annexure F.2.2)
Staff Roster for Job Rotation
3 P R A
(Annexure F.2.3)
Supervision Checklist (Annexure
4 P P R-A
F.3.5)
Monthly Status Report of Audit
5 P R A
Plans (Annexure F.3.3)
Permanent & Planning File
6 Updation Summary (Annexure P R-A
F.2.4)
Report for Quality Control Review
7 of Permanent & Planning Files P R A
(Annexure F.2.5)
Summary of Quality Control
8 Review Report of Permanent & P R A
Planning Files (Annexure F.2.6)
Execution File: Significant Issues
9 Identified during Execution P R A
(Annexure F.3.2)
Quality Control Review of
10 Execution and Reporting Files P R A
(Annexure F.3.1)
Summary of Quality Control
11 Review of Audit Execution and P R A
Reporting (Annexure F.3.4)
Record of Consultation (Annexure
12 P R A
F.3.6)
Control Document for Code of
13 Conduct Declarations (Annexure P R A
F.1.2)
P=Prepare, R=Review, A=Approve,

107 |
Additional Key Tasks and Responsibilities at QAI&M Wing
The table below describes any additional tasks and responsibilities with respect to quality
assurance measures falling upon QAI&M Wing, arising as a result of the AQMF document:

Designation Additional Key Tasks & Responsibilities

• Conduct fieldwork for the Administrative Inspection Report and assist in its
preparation.
• Prepare the Post-audit Quality Assurance Checklist (Annexure G.1.1).
• Prepare the Summary of Quality Assurance Review Observations (Annexure
AO G.1.3).
• Prepare the Summary Review Memorandum (Annexure G.1.4).
• Prepare the Follow-up Continuity Schedule (Annexure G.1.5).
• Conduct Cold File Quality Assurance reviews (Annexure G.1.2).

• Prepare the Administrative Inspection Report.

• Review the Post-audit Quality Assurance Checklist (Annexure G.1.1)
• Review the Summary of Quality Assurance Review Observations (Annexure
G.1.3)
DD • Review the Summary Review Memorandum (Annexure G.1.4)
• Review the Follow-up Continuity Schedule (Annexure G.1.5)
• Review Cold File Quality Assurance reviews (Annexure G.1.2)
• Prepare the Report on Post-audit Quality Assurance (Annexure G.2.1)

• Review the Administrative Inspection Report.

• Prepare the Post-audit Quality Assurance Mapping Plan (Annexure G.1.6)
• Approve the Post-audit Quality Assurance Checklist (Annexure G.1.1)
• Approve the Summary of Quality Assurance Review Observations (Annexure
G.1.3)
Director
• Approve the Summary Review Memorandum (Annexure G.1.4)
• Approve the Follow-up Continuity Schedule (Annexure G.1.5)
• Approve Cold File Quality Assurance reviews (Annexure G.1.2)
• Review the Report on Post-audit Quality Assurance (Annexure G.2.1)
• Prepare the Annual Report on Post-audit Quality Assurance (Annexure G.2.2)

• Review the Administrative Inspection Report.

• Review the Post-audit Quality Assurance Mapping Plan (Annexure G.1.6)
• Approve the Cold File Quality Assurance reviews (Annexure G.1.2)
DG
• Approve the Report on Post-audit Quality Assurance (Annexure G.2.1)
• Review the Annual Report on Post-audit Quality Assurance (Annexure G.2.2)
• Attend the External QAC meeting (Annexure G.2.3 & G.2.4)

• Review the Administrative Inspection Report.

• Review and approve the Post-audit Quality Assurance Mapping Plan (Annexure
G.1.6)
DAG
• Review the Annual Report on Post-audit Quality Assurance (Annexure G.2.2)
after the DG’s review and forward to the AGP for their approval.
• Chairs the External QAC meeting (Annexure G.2.3 & G.2.4)

108 |
Responsibility matrix of the audit related forms to complete at QAI&M Wing is as follows:
Direct
No. Tasks AO DD DG DAG AGP
or
Post-audit Quality Assurance
1 P R R-A
Mapping Plan (Annexure G.1.6)
Post-audit Quality Assurance
2 P R A
Checklist (Annexure G.1.1)
Summary of Quality Assurance
3 Review Observations (Annexure P R A
G.1.3)
Summary Review Memorandum
4 P R A
(Annexure G.1.4)
Follow-up Continuity Schedule
5 P R A
(Annexure G.1.5)
Cold File Quality Assurance reviews
6 P R R A
(Annexure G.1.2)
Report on Post-audit Quality
7 P R A
Assurance (Annexure G.2.1)
Administrative Inspection
8 P P R R R A
Report
Annual Report on Post-audit Quality
9 P R R A
Assurance (Annexure G.2.2)
P=Prepare, R=Review, A=Approve,
.

109 |
 ► Annexure A: ISSAI 140

► Annexure B: QAI&M Mandate

► Annexure C: Quality Control & Assurance

Key Tasks and Responsibilities for DAGP
staff

► Annexure D: Terms of References for

Ethics Committees

► Annexure E: Summary of Quality Control /

Assurance Implications

► Annexure F: Templates for Quality Control

► Annexure G: Templates for Quality

Assurance

110 |
Annexure D - Terms of References for Ethics Committees

1. Purpose
• The purpose of Ethics Committees are to assist the AGP in the establishment, embedding
and oversight of values, the ethical policy framework and ensuring and monitoring the overall
ethical health of the DAGP and compliance with professional and ethical standards.
• The Committees are responsible for keeping key relevant risks under review and monitoring
mitigation activities and controls.
2. Authority
• The Committees have delegated authority from the AGP in respect of the functions and
powers set out in these Terms of Reference.
• The Committees have authority to investigate any matter within its Terms of Reference and
to obtain such information as it may require from any director, officer or employee.
• The Committees are required to report any significant matters to the AGP.
3. Constitution
• A Committee shall be established under each DAG that manage FAOs.
• Each DAG shall be the Chairman for their respective Committees.
• In the absence of the Chairman or an appointed deputy, the remaining members present
shall elect one of themselves as acting Chair in the meeting.
• The Committee Chair has a casting vote.
4. Membership
• The Committee will comprise of the Chairman (DAG) and at least one representative of each
FAO (Director or above) falling under the jurisdiction of the respective DAG.
5. Duration of appointments
• Unless otherwise determined by the respective DAG, the duration of appointments shall be
for a period of up to three years which may be extended by the DAG for an additional period
of two years.
6. Secretary
• The DAG shall select a nominee to act as Secretary to the Committee, who shall attend all
meetings.
• The Secretary shall record the proceedings and decisions of the Committee meetings and
the minutes shall be circulated to all members and attendees, as appropriate, taking into
account any conflicts of interest that may exist.
7. Proceedings of Meetings
a. Frequency of Meetings
i. The Committee shall meet at least four times a year and otherwise as required.
ii. Meetings of the Committee may be called by the Chair of the Committee at any time to
consider any matters falling within these Terms of Reference.
b. Quorum
i. Any three members of the Committee may form a quorum, provided at least one at-large
Director is in attendance.

111 |
8. Resolutions
a. Ethics Committees shall reach decisions by a simple majority of those voting on the issue in
question. If the numbers of votes for and against a certain proposal are equal, the Ethics
Committee Chair shall have a casting vote.
b. Any resolution evidenced in writing, or by electronic or voice recognition means, by such
member or members of the Ethics Committees, as would have been necessary to pass
such resolution, had all members of the Ethics Committee been present at a meeting to
consider such resolution, shall be valid and effective as if it had been passed at a
meeting of the Ethics Committee duly convened and held, provided that notice and
details of the proposed resolution have been given in advance to each member of the
Ethics Committee.

9. Responsibilities
The Committees shall:
i. Provide oversight of the culture of integrity and monitor the “tone at the top” set across the
DAGP.
ii. Consider and challenge the sufficiency of the ongoing measures being adopted by the DAGP
to ensure that an appropriate culture, underpinned by the DAGP’s values, prevails within the
DAGP. This should include considering the adequacy of the DAGP’s Code of Conduct and
the annual ethics programme proposed for the DAGP;
iii. Consider what the key metrics, including whistleblowing reports, disciplinary and grievances,
member behavioural issues, employee feedback and other relevant metrics so defined from
time to time indicate about the DAGP’s overall ethical health and culture;
iv. Monitor the actions taken (including potential penalties and / or other interventions) in
individual cases.
v. Consider the sufficiency of the DAGP’s response to trends and features indicated by the key
performance indicators;
vi. Ensure that there is an effective training programme in ethics at all levels;
vii. Ensure that there is effective communications strategy for the ethics programme reinforcing
ethical values and good practice in the DAGP and censuring unacceptable
practice;
viii. Recommend amendments to the Code of Conduct to the DAG, ensuring that lessons
learnt from internal and external sources are integrated as required.
ix. Monitor the FAO’s overall compliance with such policies including any adverse findings in
respect of ethical compliance arising from external regulatory inspections or the DAGP’s own
internal compliance programme as well as any breaches identified;
x. Monitor the adequacy of measures taken to ensure there is an effective and
embedded “Speak Up” culture that facilitates the reporting of any issues of concern;
xi. Assess reports and the adequacy of subsequent actions following breaches of the
ethics policy framework or allegations of employee misconduct;
1. Matters with a Potential Ethical Reputational Impact on the DAGP
i. When considering ethical matters, the Committee will have due regard for matters of
significant public interest, which may have a wider potential reputational impact on the
DAGP and will raise such matters with the concerned DAG as necessary;
ii. Consider and maintain oversight of the adequacy of the processes for ensuring
ethical considerations are taken into account in all third-party relationships;
iii. Consider the evidence to support compliance with the Code of Conduct bi-annually.
2. Reporting

112 |
 i. Minutes of each Committee meeting will be disclosed at the next meeting of the
Committee.
ii. The Chair of the Committee shall report to the AGP on a six monthly basis on its work
and areas of concern and areas of further action.
iii. The Committee shall compile a report of the work of the Committee in discharging its
responsibilities for inclusion in the Annual Report, including a description of significant
issues dealt with by the Committee.
iv. The Committee shall work and liaise as necessary with other committees of the DAGP.
3. Governance and Resources
i. The Committee shall, via the Secretary to the Committee, make available to new
members of the Committee a suitable induction process and, for existing members,
ongoing training as discussed and agreed by the Committee.
ii. The Committee shall conduct an annual self-assessment of its activities under these
Terms of Reference and report any conclusions and recommendations to the Board and,
as part of this assessment, shall consider whether or not it receives adequate and
appropriate support in fulfilment of its role and whether or not its annual plan of work is
manageable.
iii. The Committee shall in its decision making, give due regard to any relevant legal or
regulatory requirements, and associated better practice guidance, as well as to the risk
and reputation implications of its decisions (liaising where relevant with other
committees).
iv. The Committee shall have access to sufficient resources in order to carry out its duties
and have the power to engage independent counsel and other professional advisers and
to invite them to attend meetings.
4. Terms of Reference
i. The Committees shall annually review its Terms of Reference and may recommend to
the AGP any amendments to its Terms of Reference.
ii. Any amendments should be relayed to each of the Committees so that the procedures
stay uniform.

113 |
 ► Annexure A: ISSAI 140

► Annexure B: QAI&M Mandate

► Annexure C: Quality Control & Assurance

Key Tasks and Responsibilities for DAGP
staff

► Annexure D: Terms of References for

Ethics Committees

► Annexure E: Summary of Quality Control /

Assurance Implications

► Annexure F: Templates for Quality Control

► Annexure G: Templates for Quality

Assurance

114 |
 Annexure E - Summary of Quality Control / Assurance Implications

Throughout the AQMF, as requirements of applicable international standards are documented, implications shall arise for either quality control or quality assurance systems
and procedures. Following is the summary of these implications, which also states the key instruments employed within the DAGP to address the standard requirement, if
applicable.

Quality Quality Control Quality Control Quality Assurance

Key Instruments
Management Standard Requirement Implications Implications Implications
Employed
Element (FAO-Level) (HO-Level) (QAI&M)
Element 1: Leadership - Key Principle: An SAI should establish policies and procedures designed to promote an internal culture recognizing that quality is essential
in performing all of its work. Such policies and procedures should be set by the Head of the SAI, who retains overall responsibility for the system of quality control.
Element 1 The Head of the SAI may be • AGP should be given • The Constitution
Leadership: an individual or a group appointments with of the Islamic
Leadership depending on the mandate sufficiently long and fixed Republic of
Structure and circumstances of the SAI. terms. Pakistan
(ISSAI 140 element 1 section • The functions, powers and • AGP Ordinance
1, page 12) duties of the AGP should 2001
be clearly defined and
established in the
legislation.
• AGP should report the
findings derived from the
DAGP to the appropriate
authority.
• The AGP should have
financial autonomy and
independence.

115 |
 Quality Quality Control Quality Control Quality Assurance
Key Instruments
Management Standard Requirement Implications Implications Implications
Employed
Element (FAO-Level) (HO-Level) (QAI&M)
Element 1 SAls should strive to achieve • DAGP staff should follow • The DAGP should devise A flexible reward • Vision, mission
Leadership: a culture that recognises and the vision, mission and vision, mission and core management system should and core values
Culture of rewards high quality work core values. values. be in place to reward FAOs established by the
Quality throughout the SAI. To • DAGP staff should follow • DAGP communicates its that produce high scoring DAGP
achieve that culture the Head auditing standards vision, mission and core audit reports on the basis of • Vision, mission
of the SAI should set the right established by the DAGP. values to its staff. the External QAC and core values
“tone at the top” which • Performance should be • The manuals and mechanism. laid out in DAGP’s
emphasises the importance gauged periodically, at the guidelines in place in the policy documents
of quality in all of the work of end of audit activity, DAGP should contain • Audit Manuals
the SAI, including work which against devised KPIs. auditing standards used • PER
is contracted out. Such a by the DAGP. • External QAC
culture also depends on mechanism
clear, consistent and frequent (Annexure G.2.3
actions from all levels of the & G.2.4)
SAI’s management that
Good Practice
emphasise the importance of
quality. (ISSAI 140 element 1 • A Reward
section 4, page 12) Management
System
Element 1 The strategy of each SAI • The strategic plan should • Strategic Plan
Leadership: should recognise an be clearly communicated • Implementation
Culture of overriding requirement for the to DAGP staff. Matrix of Strategic
Quality SAI to achieve quality in all of • Special mechanisms Plan (Annexure
its work so that political, should be established to F.2.7)
economic or other authorise the external
considerations do not activities of the DAGP.
compromise the quality of

116 |
 Quality Quality Control Quality Control Quality Assurance
Key Instruments
Management Standard Requirement Implications Implications Implications
Employed
Element (FAO-Level) (HO-Level) (QAI&M)
work performed. (ISSAI 140 • Code of Conduct
element 1 section 5, page 12) Declaration
(Annexure F.1.1)
Good Practice
• Annual
operational plans
Element 1 SAls should ensure that • DAGP should use • MSO Book
Leadership: quality control policies and appropriate tools to Good Practice
Culture of procedures are clearly promote effective internal • Electronic
Quality communicated to SAI communication. communication
personnel and to any parties • DAGP should maintain a systems via
contracted to carry out work database to ensure all government email
for the SAI. (ISSAI 140 standing orders are addresses for all
element 1 section 6, page 12) properly documented and staff and / or an
available to staff for intranet
reference.
Element 1 SAls should ensure that Sufficient resources are Good Practice
Leadership: sufficient resources are necessary to maintain quality • Periodic,
Culture of available to maintain the control and quality preferably yearly,
Quality system of quality control assurance systems within staffing
within the SAI. (ISSAI 140 the DAGP. assessments at
element 1 section 7, page 12) HO Wings.
Element 2: Ethics - Key Principle: An SAI should establish policies and procedures designed to provide it with reasonable assurance that the SAI, including
all personnel and any parties contracted to carry out work for the SAI, comply with relevant ethical requirements.

117 |
 Quality Quality Control Quality Control Quality Assurance
Key Instruments
Management Standard Requirement Implications Implications Implications
Employed
Element (FAO-Level) (HO-Level) (QAI&M)
Element 2 SAls should emphasise the • A Code of Ethics should • DAGP Code of
Ethics: Ethical importance of meeting be developed in line with Conduct
Requirements relevant ethical requirements ISSAI 130. • Public
in carrying out their work. • Any third party contracted Procurement
(ISSAI 140 element 2 section out to carry out the work Rules
1, page 13) on behalf of the DAGP Good Practice
All SAI personnel and any should be made aware of
• Confidentiality
parties contracted to carry out the relevant ethical
Agreements
work for the SAI should requirements.
demonstrate appropriate
ethical behaviour. (ISSAI 140
element 2 section 2, page 13)
The Head of the SAI and
senior personnel within the
SAI should serve as an
example of appropriate
ethical behaviour. (ISSAI 140
element 2 section 3, page 13)
SAIs should ensure that any
parties contracted to carry out
work for the SAI are subject
to appropriate confidentiality
agreements. (ISSAI 140
element 2 section 7, page 14)
Element 2 The relevant ethical • The Code of Ethics in the Good Practice
Ethics: Legal requirements should include DAGP should be

118 |
 Quality Quality Control Quality Control Quality Assurance
Key Instruments
Management Standard Requirement Implications Implications Implications
Employed
Element (FAO-Level) (HO-Level) (QAI&M)
and any requirements set out in reassessed and updated • ISSAI 130 Code
Regulatory the legal and regulatory in line with ISSAI 130 of Ethics
Environment framework governing the “Code of Ethics” to ensure • Periodic
operations of the SAI. (ISSAI compliance with the latest assessment of
140 element 2 section 4, ethical requirements as DAGP standards
page 13) per international
Ethical requirements for SAIs standards.
may include or draw on the • To ensure no other
INTOSAI ISSAI 130 - Code of alignments to applicable
Ethics and the IFAC ethical standards are required, a
requirements, as appropriate review of the standards
to its mandate and used by the DAGP should
circumstances and to the be conducted on a fixed
circumstances of their basis (preferably annually)
professional staff. (ISSAI 140 by an experienced team.
element 2 section 5, page 13)
Element 2 SAls should consider the use The DAGP should establish • Code of Conduct
Ethics: Legal of written declarations from a system to ensure that its Declaration
and personnel to confirm auditors comply with (Annexure F.1.1)
Regulatory compliance with the SAI’s following ethical • Asset Declaration
Environment ethical requirements. (ISSAI requirements. Forms under
140 element 2 section 8, Conduct Rules
page 14)
Element 2 SAls should ensure policies The DAGP should establish • Ethics
Ethics: Legal and procedures are in place a mechanism to enable the Committees
and to notify the Head of the SAI identification of significant (Annexure D)

119 |
 Quality Quality Control Quality Control Quality Assurance
Key Instruments
Management Standard Requirement Implications Implications Implications
Employed
Element (FAO-Level) (HO-Level) (QAI&M)
Regulatory in a timely manner of threats to independence, and • Toll-free hotline
Environment breaches of ethical the application of controls to leading to ethics
requirements and enable the mitigate them, as well as committees
Head of the SAI to take provide guidance and
appropriate action to resolve direction for staff in this
such matters. (ISSAI 140 respect.
element 2 section 9, page 14)

Element 2 SAIs should ensure policies • To ensure independence • Code of Conduct

Ethics: Staff and procedures are in place of audit staff, a yearly Declaration
Development that reinforce the importance independence (Annexure F.1.1)
of rotating key audit confirmation should be • Job Roster for
personnel, where relevant, to signed by all audit staff of Staff Rotation
reduce the risk of familiarity each FAO. (Annexure F.2.3)
with the organisation being • Rotation of key audit staff
audited. SAls may also is necessary to reduce the
consider other measures to risk of familiarity with the
reduce the familiarity risk. audited entity / formation.
(ISSAI 140 element 2 section
11, page 14)

Element 3: Acceptance and Continuance - Key Principle: An SAI should establish policies and procedures designed to provide the SAI with reasonable assurance
that it will only carry out audits and other work where the SAI:
a) is competent to perform the work and has the capabilities, including time and resources, to do so;

120 |
 Quality Quality Control Quality Control Quality Assurance
Key Instruments
Management Standard Requirement Implications Implications Implications
Employed
Element (FAO-Level) (HO-Level) (QAI&M)
b) can comply with relevant ethical requirements; and
c) has considered the integrity of the organisation being audited and has considered how to treat the risk to quality that arises.
The policies and procedures should reflect the range of work carried out by each SAI. In many cases SAls have little discretion about the work they carry out. SAIs
carry out work in three broad categories:
• Work that is required of them by their mandate and statute and which they have no option but to carry out;
• Work that is required by their mandate, but where they have discretion as to the timing, scope and/or nature of work;
• Work that they can choose to carry out.

Element 3 For all audits and other work • The audit planning • RAD (Annexure
Acceptance carried out, SAIs should process should follow a F.2.1)
and establish systems to consider risk-based methodology. • Template for Field
Continuance: the risks to quality which arise • A document should be Audit Instructions
Risk from carrying out the work. prepared and updated on (Annexure F.2.2)
Management These will vary, depending on an annual basis,
the type of work being incorporating all relevant
considered. (ISSAI 140 risk areas of audited
element 3 section 1, page 16) entities.
• Instructions to audit
teams, issued prior to the
commencement of audits,
should include information
and advice related to
dealing with identified risk
areas of particular audited
entities.

121 |
 Quality Quality Control Quality Control Quality Assurance
Key Instruments
Management Standard Requirement Implications Implications Implications
Employed
Element (FAO-Level) (HO-Level) (QAI&M)
Element 3 SAIs should assess if a • An independence • Code of Conduct
Acceptance material risk to their confirmation should be Declaration
and independence exists in signed by the DAGP staff (Annexure F.1.1)
Continuance: accordance with INTOSAI-P at the FAO level to • Job Roster for
Risk 10. (ISSAI 140 element 3 confirm that they have Staff Rotation
Management section 3, page 16) read and agree to the (Annexure F.2.3)
Where such a risk is requirements necessary
identified, the SAI should for them to remain
determine and document how independent.
it plans to address this risk • DAGP staff should inform
and ensure an approval the management about
process is in place and is any pre-existing relevant
adequately documented. relationships and
(ISSAI 140 element 3 section situations that may
4, page 16) present a threat to
independence or
objectivity due to a conflict
in interest.
Element 3 Where the integrity of the Teams should be made • RAD (Annexure
Acceptance audited organisation is in aware of the risks regarding F.2.1)
and doubt, the SAI should the capability of staff, the • Template for Field
Continuance: consider and address the level of resources and any Audit Instructions
Risk risks arising from the ethical issues that may arise (Annexure F.2.2)
Management capability of staff, the level of in the audited entity.
resources, and any ethical
issues which might arise in

122 |
 Quality Quality Control Quality Control Quality Assurance
Key Instruments
Management Standard Requirement Implications Implications Implications
Employed
Element (FAO-Level) (HO-Level) (QAI&M)
the audited organisation.
(ISSAI 140 element 3 section
5, page 16)
Element 3 SAls should ensure that their A key component of quality • Quality control
Acceptance risk management procedures control is the EQCR. An forms prepared by
and are adequate to mitigate the EQCR should be an AO, the FAO
Continuance: risks of carrying out the work. independent from the audit (Annexure F)
Risk The response to the risks team, who conducts an Good Practice
Management may include: objective evaluation of
• FAO-Level
- carefully scoping the work significant matters, including
independent
to be performed; risks identified and
review of the draft
significant judgments made
- assigning more audit report
by the audit team, and the
senior/experienced staff than
team’s conclusions reached
would ordinarily be the case;
in formulating the audit
and
report.
- doing a more in depth
engagement quality control
review of the work before a
report is issued. (ISSAI 140
element 3 section 7, page 16)

123 |
 Quality Quality Control Quality Control Quality Assurance
Key Instruments
Management Standard Requirement Implications Implications Implications
Employed
Element (FAO-Level) (HO-Level) (QAI&M)
Element 3 SAIs normally operate with • An effective audit plan • The AGP should have full • Audit Plan
Acceptance limited resources. SAIs considers that formations powers for the creation of templates
and should consider their work are selected on the basis temporary posts. • Presentations on
Continuance: programme and whether they of risk, prioritizes • For subsequent years, the draft audit plans
Resource have the resources to deliver formations to the DAGP’s AGP should be able to • Template for Field
Management the range of work to the mandate and current convert temporary posts Audit Instructions
desired level of quality. To focus, considers to permanent positions, (Annexure F.2.2)
achieve this, SAIs should significance of risk factors expanding their budget, • Monthly Status
have a system to prioritise and auditability. by submitting their request Report of Audit
their work in a way that takes • Audit plan templates with justification to the Plan (Annexure
into account the need to should be used depending PAC. F.3.3)
maintain quality. If resources on the nature of the audit. • Finance Division
are not sufficient and pose a • DG should ensure Letter
risk to quality, the SAI should effective allocation of No.F.3(15)Exp-
have procedures to ensure resources and maintaining III/2002/110 dated
that the lack of resource is quality of audit work. 28th February
brought to the attention of the 2003 (as stated in
Head of the SAI and, where the MSO Book)
appropriate, the legislature or Good Practice
budgetary authority. (ISSAI
• Periodic,
140 element 3 section 2,
preferably yearly,
page 16)
staffing
assessments at
the FAO-Level

124 |
 Quality Quality Control Quality Control Quality Assurance
Key Instruments
Management Standard Requirement Implications Implications Implications
Employed
Element (FAO-Level) (HO-Level) (QAI&M)
Element 4: Human Resource - Guidance: The DAGP should establish policies and procedures designed to provide it with reasonable assurance that it has sufficient
personnel with the competence, capabilities and commitment to ethical principles necessary to:
• perform engagements in accordance with professional standards and applicable legal and regulatory requirements; and
• enable the DAGP to issue reports that are free from error as best as circumstances allow.
Element 4 SAls may draw on a number • A periodic skills • Professional development Good Practice
Human of different sources to ensure assessment should be and career progression
• Periodic Skills
Resource: they have the necessary skills carried out to evaluate the should also be based on
Assessment
Recruitment, and expertise to carry out the necessary skills and the principles of equality
• Personal file for all
Staff range of their work, whether qualifications required to and merit, with
DAGP staff with
Development carried out by SAI personnel cover all sectors in the consideration to
signed job
and or contracted out. (ISSAI 140 audit without comprising demonstrated ethical
descriptions
Performance element 4 section 1, page 17) the quality of work behaviour.
• Staff Welfare
Management SAls should ensure that performed. • There should be an
Policy
• A list of staff containing evaluation of, and
responsibility is clearly • Minimum training /
assigned for all work carried qualification, experience counselling on,
CPD hours for
out by the SAI. (ISSAI 140 and skills set should be performance, progress
DAGP staff
element 4 section 2, page 17) maintained at each FAO and career development.
• HRMIS (should
to facilitate in audit • Each staff should be
SAls should ensure that also contain list of
planning, capacity building aware of its professional
Human Resources policies staff containing
and performance career development path
and procedures give qualification,
assessment. and the minimum targets
appropriate emphasis to experience and
• Training courses should and training that needs to
quality and commitment to skillset)
be linked with be achieved for
the SAI’s ethical principles.
competencies and progression.
Such policies and procedures
assigned to staff that • A copy of the signed job
description should be

125 |
 Quality Quality Control Quality Control Quality Assurance
Key Instruments
Management Standard Requirement Implications Implications Implications
Employed
Element (FAO-Level) (HO-Level) (QAI&M)
related to human resources would derive the most maintained in the personal
include: value from the courses. file of all DAGP staff.
• recruitment (and the • DAGP staff should have
qualifications of recruited the opportunity to express
staff); their views on the work
• performance evaluation; environment to
• professional development; management, and
• capabilities (including management should act
sufficient time to perform upon the issues arising
assignments to the from the views expressed
required quality standard); on the work environment;
therefore, the DAGP
• competence (including
should establish a
both ethical and technical
functional staff welfare
competence);
policy, which should be
• career development;
part of their HR strategy
• promotion;
document.
• compensation; and
• the estimation of personnel
needs. (ISSAI 140 element
4 section 5, page 18)
Element 4 SAls should ensure that Performance assessment of • It is good practice to A flexible reward • PER
Human quality and the SAI’s ethical staff should be performed establish an HRMIS that management system should • DAGP Training
Resource: principles are key drivers of after each audit, the can act as a hub for be in place to reward FAOs Plan
Recruitment, performance assessment of assessment should be performance assessment, that produce high scoring • External QAC
Staff personnel and any parties maintained in the personal training development and audit reports on the basis of mechanism
Development contracted to carry out work file of each staff and should, resource allocation.

126 |
 Quality Quality Control Quality Control Quality Assurance
Key Instruments
Management Standard Requirement Implications Implications Implications
Employed
Element (FAO-Level) (HO-Level) (QAI&M)
and for the SAI. (ISSAI 140 along with the training and • To incentivize hard work the External QAC (Annexure G.2.3
Performance element 4 section 8, page 18) CPD achievement during the and excellence, DAGP mechanism. & G.2.4)
Management year, form the basis of should have in place a Good Practice
annual performance rewarding mechanism to
• HRMIS
assessment. reward high quality of
• Performance
work performed by its
assessment on
staff.
the basis of
feedback for
individual audits
• Audit team self-
assessment
• Reward
Management
System
Element 4 SAls should promote learning • It is good practice to • DAGP Training
Human and training for all staff to establish an HRMIS that Plan
Resource: encourage their professional can act as a hub for Good Practice
Recruitment, development and to help performance assessment,
• HRMIS
Staff ensure that personnel are training development and
Development trained in current resource allocation.
and developments in the
Performance profession. (ISSAI 140
Management element 4 section 6, page 18)

127 |
 Quality Quality Control Quality Control Quality Assurance
Key Instruments
Management Standard Requirement Implications Implications Implications
Employed
Element (FAO-Level) (HO-Level) (QAI&M)
Element 5: Performance of Audit and Other Works - Guidance: The DAGP should establish policies and procedures designed to provide it with reasonable
assurance that engagements are performed in accordance with professional standards and applicable legal and regulatory requirements, and that the DAGP issues
reports that are appropriate in the circumstances. Such policies and procedures shall include:
• matters relevant to promoting consistency in the quality of engagement performance;
• supervision responsibilities; and
• review responsibilities.
Element 5 SAIs should ensure • The auditors should be Audit methodologies and A post audit quality • DAGP Audit
Performance appropriate policies, equipped and facilitated supporting working paper assurance checklist should Manuals
of Audit and procedures and tools, such with predefined policies, kits, etc. should be updated be used to check for the • DAGP Sectoral
Other Works: as audit methodologies are in procedures and tools, on a timely basis to ensure completeness of each file Guidelines
Audit place for carrying out the where able, in order to they reflect the latest (permanent, planning and • Template for Field
Planning range of work that is the streamline and produce INTOSAI standards and execution) and related Audit Instructions
responsibility of the SAI, work of consistently high better practices. quality control forms. These (Annexure F.2.2)
including work that is quality. checklists should be the • Working Paper Kit
contracted out. (ISSAI 140 • To enhance the work responsibility of field • Post Audit Quality
element 5 section 1, page 19) quality of audit team, inspection teams from Assurance
information regarding the QAI&M Wing. Checklist
tools, policies and (Annexure G.1.1)
methodologies to be used
should be timely
communicated.
• A checklist should be
maintained to ensure the
completeness of file.

128 |
 Quality Quality Control Quality Control Quality Assurance
Key Instruments
Management Standard Requirement Implications Implications Implications
Employed
Element (FAO-Level) (HO-Level) (QAI&M)
Element 5 SAls should aim for timely • After the conclusion of an • Post Audit Quality
Performance completion of audits and all audit cycle, quality control Assurance
of Audit and other work, recognising that should be conducted of Checklist
Other Works: the value from the work of the audit at the concerned (Annexure G.1.1)
Audit SAIs diminishes if the work is FAO in order to ensure • External QAC
Planning not timely. (ISSAI 140 that it was carried out mechanism
element 5 section 9, page 20) appropriately with the (Annexure G.2.3
usage of all relevant & G.2.4)
quality control forms. Good Practice
• An external QAC
• AMIS
mechanism should be in
place at QAI&M Wing to
review the draft audit
reports, the audit planning
of an audit as well as the
quality assurance activity
of the inspection teams
from QAI&M Wing.
Element 5 SAIs should establish policies • All work undertaken A flexible reward • Template for Field
Performance and procedures that should be reviewed with management system should Audit Instructions
of Audit and encourage high quality and the aim of promoting be in place to reward FAOs (Annexure F.2.2)
Other Works: discourage or prevent low quality, learning and that produce high scoring • Supervision
Audit quality. This includes creating professional development. audit reports on the basis of Checklist
Execution an environment that is • A Supervisory plan should the External QAC (Annexure F.3.5)
stimulating, encourages be developed and mechanism. • External QAC
proper use of professional communicated to the audit mechanism
judgement and promotes

129 |
 Quality Quality Control Quality Control Quality Assurance
Key Instruments
Management Standard Requirement Implications Implications Implications
Employed
Element (FAO-Level) (HO-Level) (QAI&M)
quality improvements. All teams prior to (Annexure G.2.3
work carried out should be commencement of audits. & G.2.4)
subject to review as a means • A supervision checklist Good Practice
of contributing to quality and should be conducted
• Audit team self-
promoting learning and during the supervisory
assessment
personnel development. visits planned as a means
• Performance
(ISSAI 140 element 5 section to review the audit work
assessment on
2, page 19) performed.
the basis of
• After completion of an
feedback for
audit fieldwork by a field
individual audits
audit team, the audit team
• Staff welfare
should perform an audit
policy
team self-assessment.
Through this, the team
may provide feedback the
audit, documenting
conclusions for
consideration during
future audits.

130 |
 Quality Quality Control Quality Control Quality Assurance
Key Instruments
Management Standard Requirement Implications Implications Implications
Employed
Element (FAO-Level) (HO-Level) (QAI&M)
Element 5 Where difficult or contentious Consultation should be The work done by an • Record of
Performance matters arise, SAIs should appropriately documented, outside expert and Consultation
of Audit and ensure that appropriate and a written record of the procurement process should (Annexure F.3.6)
Other Works: resources (such as technical consultation should be be evaluated according to • Quality assurance
Audit experts) are used to deal with maintained. applicable regulations during reports prepared
Execution such matters. (ISSAI 140 quality assurance. by QAI&M Wing
element 5 section 3, page 19) (Annexure G)

Element 5 SAls should ensure that • Quality of an audit is • DAGP Audit

Performance applicable standards are assured through Manuals
of Audit and followed in all work carried adherence to the • DAGP Audit
Other Works: out, and if any requirement in principles of DAGP Standards
Audit a standard is not followed, auditing standards. • Supervision
Execution SAls should ensure the • For each audit formation Checklist
reasons are appropriately relevant standards (Annexure F.3.5)
documented and approved. applicable to audit team
(ISSAI 140 element 5 section should be documented.
4, page 19)

131 |
 Quality Quality Control Quality Control Quality Assurance
Key Instruments
Management Standard Requirement Implications Implications Implications
Employed
Element (FAO-Level) (HO-Level) (QAI&M)
Element 5 SAls should ensure • A Supervisory plan should It is good practice for QAI&M • Template for Field
Performance appropriate quality control be developed and Wing to conduct reviews of Audit Instructions
of Audit and policies and procedures are communicated to the audit an entire audit file, after its (Annexure F.2.2)
Other Works: in place (such as supervision teams. submission to the PAC, for • Supervision
Audit and review responsibilities • A supervision checklist at least one audit of every Checklist
Execution and engagement quality should be conducted FAO for an interval of at (Annexure F.3.5)
control reviews) for all work during the supervisory least three years. These • Quality control
carried out (including financial visits planned. reviews are known as cold forms prepared by
audits, performance audits, • Quality control should be file reviews and are meant to the FAO
and compliance audits). SAIs ensured during the ensure that the audits have (Annexure F)
should recognise the supervision and review been completed in Good Practice
importance of engagement activities. accordance with the DAGP’s
• FAO-Level
quality control reviews for • A key component of procedures and with
independent
their work and, where an quality control is the applicable INTOSAI
review of the draft
engagement quality control EQCR. An EQCR should standards; in addition, the
review is carried out, matters reviews should ensure that audit report
be an auditor,
raised should be satisfactorily an appropriate audit opinion • Cold file review by
independent from the
resolved before a report is was given. QAI&M Wing
audit team, who conducts
issued by the SAI. (ISSAI 140 Inspection Teams
an objective evaluation of
element 5 section 6, page 20) (Annexure G.1.2)
significant matters.
• AMIS

132 |
 Quality Quality Control Quality Control Quality Assurance
Key Instruments
Management Standard Requirement Implications Implications Implications
Employed
Element (FAO-Level) (HO-Level) (QAI&M)
Element 5 SAls should ensure timely • Working Paper Kit should • DAGP should retain all • The DAGP should ensure • Quality control
Performance documentation (such as audit be used to ensure ownership of all timely documentation of forms prepared by
of Audit and work papers) of all work acceptable quality of documents produced. all work performed. the FAO
Other Works: performed. (ISSAI 140 execution file. • The DAGP should • Working papers should be (Annexure F)
Audit element 5 section 10, page • The Execution File should facilitate the effective reviewed during QAC • Administrative
Execution 20) undergo appropriate storage of all meetings. Inspection Report
SAIs should ensure that all quality control procedures. documentation maintained • Recordkeeping
documentation (such as audit by FAOs by providing a and retention
work papers) is the property digital platform with period guidelines
of the SAI, regardless of ownership and access • Quality assurance
whether the work has been controls. reports prepared
carried out by SAI personnel by QAI&M Wing
or contracted out. (ISSAI 140 (Annexure G)
element 5 section 11, page Good Practice
20) • All written
contracts should
provide a clause
stating that the
DAGP retains
ownership of
documentation
produced
• AMIS
Element 5 SAls should ensure that An audit completion checklist • To identify defects and • Audit completion
Performance procedures are in place for should be used during the ensure that quality control checklist as per
of Audit and authorising reports to be reporting phase in order to procedures and

133 |
 Quality Quality Control Quality Control Quality Assurance
Key Instruments
Management Standard Requirement Implications Implications Implications
Employed
Element (FAO-Level) (HO-Level) (QAI&M)
Other Works: issued. Some work of SAIs ensure that the audit has processes are working Working Paper Kit
Audit may have a high level of been carried out in a effectively, QAI&M Wing in FAM
Reporting and complexity and importance satisfactory manner, should perform quality • Quality assurance
Follow-ups that requires intensive quality sufficient evidence has been assurance of all audit reports prepared
control before a report is obtained and that the audit reports produced by the by QAI&M
issued. (ISSAI 140 element 5 opinion is appropriate. DAGP. (Annexure G)
section 7, page 20) • The audit reports should • Administrative
be understandable for all Inspection Report
stakeholders.
• The mechanisms
employed at QAI&M Wing
should include reviewing
the audit cycle leading up
to producing the audit
reports.

134 |
 Quality Quality Control Quality Control Quality Assurance
Key Instruments
Management Standard Requirement Implications Implications Implications
Employed
Element (FAO-Level) (HO-Level) (QAI&M)
Element 5 SAIs should ensure • During the reviews of • Quality control
Performance appropriate procedures are audit reports, the audit forms prepared by
of Audit and followed for verifying findings team should consider the FAO
Other Works: to ensure those parties management responses (Annexure F)
Audit directly affected by the SAIs and obtain follow-ups / • PAC Follow-up
Reporting and work have an opportunity to updates, if applicable. Reports
Follow-ups provide comments prior to the • Management responses
work being finalised, should be considered
regardless of whether or not a during the review of
report is made publicly EQCR (independent AO).
available by the SAI. (ISSAI • A monitoring system
140 element 5 section 12, should be in place to
page 20 identify management
action plans against audit
matters raised and their
progress.
Element 5 SAls should balance the • Procurement of third • Public
Performance confidentiality of parties should follow the Procurement
of Audit and documentation with the need appropriate rules & Rules
Other Works: for transparency and regulations. • RTI Act
Audit accountability. SAls should • It is in the public interest
Reporting and establish transparent to be able to request
Follow-ups procedures for dealing with information from the
information requests that are government and for them
consistent with legislation in to review the procedures
their jurisdiction. in place at the DAGP,

135 |
 Quality Quality Control Quality Control Quality Assurance
Key Instruments
Management Standard Requirement Implications Implications Implications
Employed
Element (FAO-Level) (HO-Level) (QAI&M)
which would enhance
accountability.
Element 6: Monitoring - Key Principle: An SAI should establish a monitoring process designed to provide it with reasonable assurance that the policies and
procedures relating to the system of quality control are relevant and adequate and are operating effectively. The monitoring process should:
a) include an ongoing consideration and evaluation of the SAl’s system of quality control, including a review of a sample of completed work across the range of
work carried out by the SAI;
b) require responsibility for the monitoring process to be assigned to an individual or individuals with sufficient and appropriate experience and authority in the SAI
to assume that responsibility; and
c) require that those carrying out the review are independent (i.e. they have not taken part in the work or any quality control review of the work.)
Element 6 SAIs should ensure that their Each report should have • QAI&M Wing is the • Internal QAC
Monitoring: quality control system undertaken an internal primary hub through mechanism
Quality includes independent quality assurance review which quality assurance • Certificate of
Assurance monitoring of the range of prior to the external QAC. activities are carried out. Quality for the
controls within the SAI (using These activities should Audit Report
personnel not involved in entail quality assurance & (Annexure F.3.7 –
carrying out the work). (ISSAI administrative inspections Annexure F.3.10)
140 element 6 section 1, of each FAO, QAC • Post-audit quality
page 22) meetings to review all assurance
audit reports and quality mapping plan
assurance reviews of a (Annexure G.1.6)
sample of audits. • Post-audit quality
• A thorough planning assurance
process should be checklists
undertaken in order to performed by
ensure that QAI&M teams QAI&M Wing field

136 |
 Quality Quality Control Quality Control Quality Assurance
Key Instruments
Management Standard Requirement Implications Implications Implications
Employed
Element (FAO-Level) (HO-Level) (QAI&M)
may carry out their duties teams (Annexure
in an efficient, economic G.1.1 – Annexure
and effective manner. G.1.5)
• Administrative
Inspection Report
• Post-audit quality
assurance reports
(Annexure G.2.1
& G.2.2)
• External QAC
mechanism
(Annexure G.2.3 –
G.2.5)
Good Practice
• Cold file review by
QAI&M Wing
Inspection Teams
Element 6 SAls should ensure the Monitoring status reports Quality assurance reports • Quality control
Monitoring: results of the monitoring of should be prepared at fixed, should be prepared to inform forms for the
Reporting the system of quality control regular intervals during the the AGP of key matters in a planning stage
are reported to the Head of formulation of the audit plan timely manner. prepared by the
the SAI in a timely manner, to and reported to the DAG, FAO (Annexure
enable the Head of the SAI to informing them of the status F.2.5 - F.2.9)
take appropriate action. of the audit plans. • Quality assurance
(ISSAI 140 element 6 section reports prepared
3, page 22)

137 |
 Quality Quality Control Quality Control Quality Assurance
Key Instruments
Management Standard Requirement Implications Implications Implications
Employed
Element (FAO-Level) (HO-Level) (QAI&M)
by QAI&M Wing
(Annexure G)

Element 6 SAls should have procedures During the audit, a toll-free A mechanism should enable • Pakistan Citizen
Monitoring: for dealing with complaints or hotline should be Audited Entities to formally Portal
Feedback allegations about the quality communicated to the audited compile a complaint against • Uploading of
of work performed by the SAI. entity to allow them an any staff within the DAGP. annual reports on
(ISSAI 140 element 6 section avenue to make complaints if All complaints and their DAGP website
6, page 22) needed. responses should be • Ethics
SAls should consider whether documented. Committees
there are any legislative or (Annexure D)
other requirements to make Good Practice
monitoring reports public or to
• Internal complaint
respond to public complaints
management
or allegations related to the
system
work carried out by the SAI.
(ISSAI 140 element 6 section
7, page 22)
Element 6 Where appropriate, SAIs SAIs conducting Good Practice
Monitoring: should consider engaging international peer reviews

138 |
 Quality Quality Control Quality Control Quality Assurance
Key Instruments
Management Standard Requirement Implications Implications Implications
Employed
Element (FAO-Level) (HO-Level) (QAI&M)
Independent another SAI, or other suitable are currently using the IDI • Utilization of the
Reviews body, to carry out an SAI PMF for SAIs to assess IDI SAI PMF to
independent review of the the performance of the guide post-audit
overall system of quality institutions they are quality assurance
control (such as a peer performing peer reviews activities and any
review). (ISSAI 140 element 6 upon. The framework independent peer
section 4, page 22) provides significant reviews of other
Where appropriate, SAls may guidance regarding peer SAIs conducted
consider other means of reviews and provides a by the DAGP
monitoring the quality of their grading criterion that takes • Training courses
work, which may include, but into account the application on IDI SAI PMF to
not be limited to: of applicable international build capacity and
standards and better knowledge of
• independent academic
practices for SAIs. applicable
review;
international
• stakeholder surveys;
standards / better
• follow-up reviews of
practices for
recommendations; or
QAI&M staff
• feedback from audited
organisations (e.g. client
surveys). (ISSAI 140
element 6 section 5, page
22)

139 |
 ► Annexure A: ISSAI 140

► Annexure B: QAI&M Mandate

► Annexure C: Quality Control & Assurance

Key Tasks and Responsibilities for DAGP
staff

► Annexure D: Terms of References for

Ethics Committees

► Annexure E: Summary of Quality Control /

Assurance Implications

► Annexure F: Templates for Quality Control

► Annexure G: Templates for Quality

Assurance

140 |
Annexure F.1: Ethical Requirements
Annexure F.1.1: Code of Conduct Declaration
The contents below are in addition to the latest DAGP’s Code of Conduct and Code of Ethics.

1. Fundamentals
As part of an auditor’s professional responsibility, they shall demonstrate an adequate understanding
of the following five fundamental principles and shall uphold the ethical values and actions implied by
these values throughout the course of their duty as an auditor:
• Integrity;

• Independence and objectivity;

• Competence;

• Professional behaviour; and

• Confidentiality and transparency.
For a brief understanding, the definitions of these principles have been elaborated below:
a. Integrity
An auditor shall be straightforward and honest in all their formal dealings as part of their audit
work. They shall not be associated with any reports, findings or communication where the
auditor believes that the information is materially false, misleading or otherwise, where the
omission of important information shall imply a misleading conclusion to a report or finding.
b. Independence and objectivity
An auditor shall not compromise on their professional judgement because of bias, conflict of
interest or undue influence of others. If the auditor perceives that a circumstance or relationship
influences their professional judgement in any way, the cause and potential effect on the audit
findings shall be reported to the Field Audit Team In-charge.
c. Competence
An auditor shall attain and maintain professional knowledge and skills necessary to ensure
sufficient technical excellence during the course of their audit field work. Competence also
implies that the auditor shall act in accordance with applicable technical and professional
standards, as well as relevant legislation applicable to the FAO to which the auditor belongs.
d. Professional behaviour
An auditor shall comply with relevant laws and regulations, as well as work to uphold the
standard of ethical values and standards expected of professional auditors. An auditor shall not
engage in an activity that might impair the integrity, objectivity or good reputation of the DAGP.
e. Confidentiality and transparency
An auditor shall respect the confidentiality of information acquired as a result of their audit
activities. They shall always be alert to the possibility of inadvertent disclosure, in both formal
and informal environments. The information acquired as a result of their audit activities shall be
disclosed only under the following circumstances:
• Explicit authority of the concerned DAG;
• Explicit permission and authorization by the entity that the confidential information
pertains to;

141 |
 • Requirement under legal or regulatory obligations, such as court proceedings or Quality
Review Audits;
• It is believed that the confidential information must be disclosed in the public interest,
for e.g., to expose a committed or likely crime or fraudulent act by either the audited
entity or the auditor’s own team.
The principle of confidentiality with regards to the information acquired as part of previous audits
shall be upheld even when the auditor leaves the DAGP. Furthermore, this principle also implies
that any acquired confidential information, not available to the general public, shall not be
shared and / or utilized for any individual or entity’s gain.
f. Threats to fundamental values
An auditor is exposed to various circumstances which might threaten their ethical values or
independence. As such, an auditor shall handle any compromise to their ethical values or
independence with the same due diligence as they would with carrying out their day-to-day
tasks or any other audit activities. An auditor shall ultimately understand that should they face
any ethical dilemma in during the course of their work, they have a responsibility to act in the
public interest. As such, they shall be aware of and practise care with regards to the risks posed
to their ethical values and independence.
An auditor shall carefully consider the context in which such an issue could arise. They shall
apply professional and technical knowledge, skill and experience relevant to the facts and
circumstances, as well as gain an understanding of any interests and relationships involved in
the context. Due care shall be taken about the accuracy and reliability of the facts and
circumstances to ascertain what sort of threat is being faced. While such threats cannot be fully
mitigated, they shall be dealt with and brought down to an acceptable level which shall not
affect the audit work that is to be carried out.
At the very least, an auditor shall be aware of the following common threats to their principles:

• Self-interest: that an auditor has a financial or other interest that can influence their
judgement or behavior;
• Self-review: that an auditor shall assess, evaluate and / or review any professional work
or finding they had previously performed, which could form the basis or be relied on for
carrying out their current work;
• Advocacy: that an auditor may promote their audited entity’s position to the point where
it compromises their objectivity and professional judgement;
• Familiarity: that a personal relationship or interest within the audited entity could
compromise their objectivity and professional judgement; and
• Intimidation: that an auditor may not act objectively due to actual or perceived pressure
from the audited entity that they are covering, directly or indirectly.

142 |
Keeping the fundamental principles and their implications in mind, the following sections serve as a
general guideline for an auditor to follow. These sections are not exhaustive and as such, an auditor is
expected to safeguard their fundamental principles in any given circumstance when carrying out their
professional duties.

2. Gifts
Accepting material gifts can affect the objectivity and independence of an auditor by creating a self-
interest threat. No auditor shall accept, or permit any close relations to accept, from any person or
organization, any gift, the receipt of which places them under any form of official or implied obligation.
Gifts may take on more than one nature, for e.g. they can also include entertainment, hospitality,
preferential treatment etc. If there are multiple attempts to provide favours and gifts to the auditor, the
same shall be reported to the Field Audit Team In-Charge urgently.
Exceptions:
• Awards and shield received with participation in seminars, conferences or trainings; or
• The value of the gift is trivial and inconsequential.

3. Confidential Information
As covered in the fundamentals section, the auditor shall observe the principle of confidentiality. The
duty of an auditor is not only to keep information confidential, but also to take all reasonable steps to
preserve confidentiality. In the same manner, non-disclosure of confidential information in context of
finalizing audit findings can also compromise an auditor’s integrity, hence such information shall be
handled with extreme care and be for the benefit of the public interest.
It is the responsibility of the auditor to use approved modes of communication during audits and
transferring sensitive data in between the Field Audit Teams. The auditor shall take all reasonable steps
to ascertain whether a conflict of interest exists or is likely to arise in the future due to changing
circumstances or possession of previous acquired confidential information.

4. Speculation and Investment

No auditor shall, or permit any close relation, to make any investment decision, the value of which is
likely to be affected to some event by information which is available to him as an auditor and is not
equally available to the general public, or otherwise is likely to influence their professional judgement in
the discharge of their official duties.
Furthermore, in a situation where an auditor holds any direct financial interest in the entity which is to
be covered by them, or to the best of their knowledge, by their close relations, they shall inform their
Field Audit Team In-Charge about this interest and use professional judgement to assess the affect this
financial interest is going to have on their independence. This section pertains particularly to any public
entities, which can have private ownership, for e.g. any state owned, publicly listed companies. The
extent of the threat to their independence will depend primarily upon the ratio of their ownership of the
financial interest, as well as the ratio of the benefit gained from that financial interest towards their
overall income. Any financial interest carried through an intermediary, where the beneficiary can exert
influence or control over the intermediary on their investment decisions, the same shall be considered
as a direct investment. It is the responsibility of the auditor to be transparent about their investments
and to prevent the use of insider information to gain an unfair advantage over the general public.

5. Private trade, employment or work

No auditor shall engage in any trade or undertake any employment or work other than their official
duties, provided that the auditor may, without such sanction, undertake any honorary work of a religious,

143 |
social or charitable nature or occasional work of a literary or artistic character, subject to the condition
that their official duties do not thereby are materially affected and that the occupation of undertaking
does not conflict or is not inconsistent with their obligations as an auditor. In the likelihood of a conflict,
the auditor shall approach his Field Audit Team In-Charge for guidance.

6. Conflict of Interest
A conflict of interest arises when the personal interests of an auditor start to align with the interest of
entity that is being audited, where it becomes likely that the auditor will be able to draw undue benefit
from their position as an auditor, and hence compromise on their objectivity, independence and integrity.
It is the primary responsibility of an auditor to avoid any activities that may interfere or have the
appearance of interfering with the performance of their work. An auditor shall take reasonable steps to
identify circumstances that might create a conflict of interest. As various organizations can change over
time, the auditor shall remain alert to change in the nature of activities, interests and relationships that
might create a conflict of interest. Any likely conflict of interest shall be reported to the Field Audit Team
In-Charge on a timely basis for guidance and timely corrective action.
As guidance, the following activities are briefly described as examples which show how different
circumstances can create a conflict of interest and hence may affect the professional judgement of an
auditor:
• Entering into employment negotiations with the audited entity or another entity that the SAI has
a contractual or other relationship with;
• Being responsible for audit engagements or opinions, the outcome of which can have an impact
on the financial or other interests of that individual;
• Engaging in outside business or other non-audit activity with respect to an audited entity or
another entity that the SAI has a contractual or other relationship with, the outcome of which
can have an impact on their financial or other interests;
• Having a direct financial interest in the audited entity or in another entity that the SAI has a
contractual or other relationship with;
• Using confidential information, which can be used for the deliberate benefit or loss of any
organization or individual, which can be in benefit of the auditor; and
• Not disclosing any close relations that are in employment or have considerable influence or
interest in the entity that is being covered by the auditor.

7. Personal Conduct
An auditor personal conduct reflects on both the auditor and SAI. As implied in the previous sections,
the following guidelines are established as essential requirements:
• Auditor shall comply with the laws, regulations and conventions of the society in which they
operate, as well as with the guidance for their behavior established by the SAI;
• Auditor shall not engage in conduct that may discredit the SAI;
• Auditor shall inform their superiors about any arising conflicts between the SAI’s and their
profession’s ethical requirements;
• Soliciting, collecting or accepting contributions during official time are not allowed;
• The use or abuse of any substance that adversely affects safety or job performance is not
allowed; therefore use, possession, sale, purchase, or transfer of alcohol or illegal drugs by
auditor while on the job or on official property is prohibited;
• Political discussion shall be avoided in the professional workspace;
• Auditor should not have any link whatsoever with an organization classified as terrorist
organization by the Ministry of Interior nor encourage the discussion of such organizations;
• Official telephones shall not be used for phone calls made in personal capacity, except for
emergency calls;

144 |
 • Threatening, intimidating or otherwise interfering with other staff at any time is prohibited;
• Habitual late attendance or absence without permission is not permitted;
• Willful insubordination or disobedience of any lawful or reasonable order of any authorized
official is prohibited;
• Auditors are expected to be appropriately dressed while on official duty or in office premises;
• Auditors are required to comply with the Health, Security and Environment (HSE) policy of the
Company;
• Unauthorized use/misuse of computers/internet facility and failure to act as per DAGP’s IT
Security Policy is liable to disciplinary action and other causes analogous to any of the above.

8. Protection against Harassment of Women at Workplace

A code of conduct as laid down in “Protection against Harassment of Women at Workplace Act 2010”
shall be part and parcel of these Rules. All Auditors are expected to be fully aware of the 2010 Act supra
and abide by the rules therein. The salient features of the Act are given below:
• The purpose is to create a work environment in the SAI where both male and female auditors
work together in a civilized and respectful manner with dignity and honour leading to
improvement in the productivity within the DAGP;
• The Competent Authority needs to take the main responsibility to ensure that such work
environment is created and if there are any complaints the Competent Authority needs to
appoint a 03 members committee with at least one female (some members can be co-opted
from outside the organization) to look into the complaint(s);
• Sexual harassment by any auditor is an unacceptable behaviour;
• Sexual harassment is defined as any unwelcome sexual advance, request for sexual favours
or other verbal or written communication or physical conduct of a sexual nature or sexually
demeaning attitudes, causing interference with work performance or creating an intimidating,
hostile or offensive work environment, or the attempt to punish the complainant for refusal to
comply to such a request or is made a condition for employment. Such circumstances also
include any interaction or situation that is linked to official work or official activity outside the
office;
• A complaint can be filed with one of the members of the Ethics Committees against any auditor;
• The Committee can according to the preference of the complainant initiate an informal or a
formal inquiry;
• The management has to make sure that the process is just and no retaliation against the
complainant is allowed;
• Once the Committee reaches a decision and recommends a penalty, the Competent Authority
has to implement the decision; and
• The Inquiry Committee may recommend for appropriate action against the complainant if
allegations levied against the accused are found to be false and made with mala fide intentions.

9. Close Relations
Any reference to the receipt of benefits implied within this declaration form, financial or non-financial,
direct or indirect, the term “close relations” can include any of the following:
• Close personal relations i.e. parents, siblings, spouse, relatives etc.;
• Acquaintances i.e. friends, colleagues etc.;
• Organizations or groups that they may be working for part-time;
• Organizations or groups they have previously worked for; or
• Organizations or groups for which they are a major stakeholder, for apart from DAGP.

145 |
If you have any associated person (i.e. immediate family members and financial dependents) in a
government entity, disclose their names in the table below:

Person’s Name Relationship Government Entity Name

If you have any financial interests in a listed government entity, list them in the table below:

Entity Name Nature of Financial Interest Value (% shareholding)

I confirm that I have read and understood the contents of the Code of Conduct, including
the latest DAGP Code of Conduct and Code of Ethics, and confirm that I shall uphold my ethical values
in accordance with the Code while also safeguard myself against any potential conflicts of interest to
the best of my knowledge. I further understand that any false declarations, negligence or failure to report
any conflicts of interest may lead to disciplinary and/or criminal proceedings where appropriate. I further
affirm that that I shall timely and formally inform my Field Audit Team In-Charge, and sign a new form
as soon as reasonably possible, should my circumstances change, or where I otherwise perceive that
a conflict of interest, or a compromise to my independence as an auditor, is unavoidable.

Signature: _________________ Date:

146 |
Annexure F.1.2 - Control Document for Code of Conduct
Declarations

Name of FAO Period 202X – 202X

Prepared by Preparation Date
Reviewed by Review Date

Sr Independence Code of
Staff Name
No. Confirmation Conduct

(Y/N) (Y/N)

(Y/N) (Y/N)

(Y/N) (Y/N)

No. Staff Name Non Compliances Identified

147 |
Annexure F.2: Planning
Annexure F.2.1: Risk Area Digest

EXECUTIVE SUMMARY
Article 170 of the Constitution of the Islamic Republic of Pakistan requires the Auditor General
of Pakistan to give directions as to accounts.-

(1) The accounts of the Federation and of the Provinces shall be kept in such a form and
in accordance with such principles and methods as the Auditor General may, with the
approval of the President, prescribe;

(2) The audit of the accounts of the Federal and of the Provincial Governments and the
accounts of any authority or body established by, or under the control of, the Federal
or a Provincial Government shall be conducted by the Auditor General, who shall
determine the extent and nature of such audit.

As per Sections 7 and 8 of the Auditor General of Pakistan Ordinance 2001, the Auditor
General shall, on the basis of such audit as he may consider appropriate and necessary,
certify the accounts, compiled and prepared by Controller General of Accounts or any other
person authorized in that behalf, for each financial year, showing under the respective heads
the annual receipts and disbursements for the purpose of the Federation of each Province and
of each district, and shall submit the certified accounts with such notes, comments or
recommendations as he may consider necessary to the President or the Governor of a
Province or the designated District Authority, as the case may be.

The Auditor General shall —

a) audit all expenditure from the Consolidated Fund of the Federation and of each
Province and to ascertain whether the moneys shown in the accounts as having been
disbursed were legally available for, and applicable to, the service or purpose to which
they have been applied or charged and whether the expenditure conforms to the
authority which governs it;

b) audit all transactions of the Federation and of the Provinces relating to Public
Accounts;
c) audit all trading, manufacturing, profit and loss accounts and balance sheets and other
subsidiary accounts kept by order of the President or of the Governor of a Province in
any Federal or Provincial department; and

The Auditor General shall, in so far as the accounts enable him so to do, give to the Federal
Government, the Provincial Governments and the District Government, as the case may be,
such information and to undertake such studies and analysis as they may, from time to time,
require.

148 |
Name of Audited Entity

Section 1: Introduction of the Audited Entity

Lists the main functions and / or mandates of the entity being covered by the AGP, such as their purpose, responsibilities, strategic
oversight and types of projects/activities that they undertake. Also lists nature, type and amount of main expenditures and revenues.
If any particular requests for a specific nature of audit is made, they should be described here, and TORs should be attached. Any
necessary additions to Section 2 should be made to incorporate any additional risk areas arising from the TORs.

149 |
Section 2: Risk Areas
Describes the key risk areas of the entity to be covered, keeping in view the main functions and mandates identified in the previous
section. The process structure (such as key documents, personnel involved) of the concerned area to be audited shall be listed and
briefly defined. Recent audit plans should be consulted for guidance regarding risk areas.
2.1 Financial Management:
This table may be tailored by the user to best describe the risk.
Description of Risk Personnel Involved Document Ref.

150 |
 2.2 Programme / Project Management:
This table may be tailored to the audited entity to best describe the risk.
Description of Risk Personnel Involved Document Ref.

151 |
 2.3 Procurement:
Procurement plan of the audited entity should be included here with hyperlinks to bid evaluation reports, where applicable, prior to
describing risk areas:
Type of Important Dates for Status of Bid Evaluation Report
Procurement Description
Procurement Procurement Procurement Ref.

List of Blacklisted Firms:

A list should be provided here of blacklisted firms.

This table may be tailored by the user to best describe the risk.
Type of
Description of Risk (describe violation of PPRA, if applicable) Personnel Involved Document Ref.
Procurement

152 |
 2.4 Ethical drivers (Code of Ethics):
This table may be tailored by the user to best describe the risk.
Description of Risk Personnel Involved Document Ref.

153 |
 2.5 Human Resource (incl. staff utilization, competency and professional development)
This table may be tailored by the user to best describe the risk.
Description of Risk Personnel Involved Document Ref.

154 |
Section 3: Media / Public Reports
Any public reports from media, Civil Society Organisations and / or Non-governmental
Organisations (such as Transparency International Pakistan Procurement Watch) that
highlight a risk area of the entity or indicate a potential for misuse of the entity’s
resources shall be documented according to the table below:
Issue Reference (incl. date of Formation
issue)

155 |
Section 4: Complaints
This section shall cover any documented complaints against the entity which are not
otherwise covered by the public reports. The complaints should be received through
a complaint mechanism (such as Pakistan Citizen Portal and ethics hotline) with
appropriate levels of approvals. Any complaints included here should be approved by
the DG of the FAO.

156 |
Annexure F.2.2: Template for Field Audit Instructions

No. Dated: XX.XX.XXXX

Note: Each FAO can update this template based on the nature of their work and Audited Entities.
Additional headings may be inserted as deemed appropriate.

Instructions – Field Audit Activity

The following instructions are provided as a general guideline and basis on which the
actual instructions to carry out the Field Audit Activity shall be formulated. These
instructions are not exhaustive, and any additional instructions deemed necessary to
improve the effectiveness of the Field Audit Activity shall be incorporated as deemed
appropriate by the DG of the FAO.
1. The letterhead of the Audit Intimation Letter to the formation concerned shall
indicate the Toll Free No. installed at the AGP Office as under Whistle Blowing
Policy.
Audit Documentation
2. The Permanent File and Planning File (in accordance with FAM Proforma) of
the formations shall be prepared / updated and submitted along with Audit
Inspection Report (AIR) to the Supervisory Officer.
3. Updating of Permanent File is a requirement of FAM. Complete profile of
formation audited, keeping in view the Proforma for Permanent File provided in
FAM, which may also be provide to PM&E Section separately, enabling
updating of Permanent Files.
Audit Execution
4. Provisions of the relevant audit manual may be followed while conducting the
audit for which the manual was designed for.
5. Respective audit planning memorandums should be consulted and thoroughly
understood prior to the performance of the audits.
6. RAD of the concerned entity shall be consulted before the initiation of the Field
Audit, particularly any key risk areas and complaints identified against the
concerned entity. Any RAD queries shall be directed to the PM&E section and
/ or the Supervisory Officer.
7. Contact address for each formation be intimated to PM&E Section and
Supervisory Officer immediately on day one.
8. Monitoring & supervisory activity shall be properly documented in the light of
Monitoring and instructions issued by Office of the AGP.
9. Tour Program may be followed strictly, and audit be completed as per given
schedule.
10. During course of audit, if an organization does not produce record for audit,
field audit team shall immediately bring this to the notice of Head Office for
taking up the matter with PAO concerned. SOP is attached for compliance.

157 |
 11. An “Audit Para Register” shall be opened, duly page numbered and got
countersigned by the Supervisory Officer. Audit Observations be entered in
“Audit Para Register” on daily basis.
12. After issuing the audit observations, the Departmental replies should be
incorporated in the AIR and the same shall be submitted to the office within 10
working days of closure of audit assignment.
13. AIR along with PDPs shall be submitted within 10 working days to the
Supervisory Officer for scrutiny.
14. Supervisory Officer shall scrutinize the AIRs and PDPs and shall submit the
scrutinized AIR / PDPs to Director General within 10 working days of receipt of
AIR / PDPs.
15. PDPs should be prepared in accordance with CCCECR Model for various
categories of audit observations and the relevant, most recent audit report
template.
16. Separate File of PDPs should be completely supported with documentation /
evidence of rules / regulations and relevant code / contract violation.
17. All Audit Inspection Reports (AIRs) should contain following
information/documents:
a. Office Profile/Division Profile
b. Project Profile (if applicable) containing original & revised PC-I cost, date
of start date of completion, contractor, agreement cost, IPC paid, EPC
paid, etc.
c. Mandate/functions
d. Brief description of Financial system, delegation of powers, list of bank
accounts maintained and authority thereof
e. Head-wise estimated revenue receipts & actual revenue and Budget
estimates and actual expenditure
f. Period of Audit covered
g. Dates of Audit
h. Audit Methodology/Items selected for audit
i. Copies of all EPCs processed/paid during period under audit along with
detailed calculations, MB.
18. When auditing those organizations which prepare Financial Statements on
commercial patterns, comments may be offered on Audit Reports of Chartered
Accountants on financial statements as per instructions of Auditor General of
Pakistan.
19. Senior Auditors while proceeding outstation for field audit activity, should
properly hand over the record/indicate location of all record in his charge to the
Senior Auditors retained in office (respective Section) under the supervision of
Audit Officer concerned.
20. The Senior Auditors and concerned Assistant Audit Officer In-charge retained
in office should acquaint themselves properly with the record pertaining to their
sections and will look after the work of Senior Auditors deputed on Field Audit.

158 |
 21. In case no Senior Auditor is left in any Section for disposal of day-to-day work
/ DAC / PAC meetings, Assistant Audit Officer / Audit Officer In-charge shall
inform the position to PM&E Section and Admin Section for alternate
arrangements.
22. While framing audit observations due care should be exercised and only
material audit observations having significant financial impact, material by
nature or context be issued. Clubbing of minor issues, in a single para, may
also be opted where it is considered necessary to point out them to the
management.
23. In case the high value selected sample vouchers do not adequately cover the
high value risk areas, the same may be got replaced/ substituted as suggested
by the Inspecting Officer and recommended by the Deputy Director In-charge.
24. List of Cost centre of attached departments should also be collected from their
Administrative departments and attached with Audit & Inspection Report.
Foreign Aided Projects (FAPs)
25. Financial Attest Audit of FAP shall be conducted in accordance with FAP Audit
Manual, FAM, Audit Working Papers Kit, Sectoral Audit Guidelines on Foreign
Aided Projects and Donor’s Guidelines. Systematic selection of sample,
determination of materiality, MLE, UEL, Audit Procedures, Control Evaluation,
Substantive Testing, evaluation, determination of errors, formulation of opinion,
etc. shall be in accordance with FAM and documented properly. Financial
statements prepared by executing agencies should be in accordance with
Development Partners’ requirements. Audit Report shall be prepared on the
most recent template of Project Audit Report circulated.
26. Financial Statements of Foreign Aided Projects along with Notes, Management
Representation / Management Assertion should be obtained and submitted
along with audit observations to be included in management letter. A sample
management representation letter is enclosed.

159 |
TORs –Supervision Framework
1. Field Audit shall be supervised by the Supervisory Officer as per the
supervisory plan.
2. Monitoring & Supervisory activity shall be properly documented in the light of
Monitoring Framework and instructions issued by Office of the AGP. The
supervisory visits by the officers of the Field Audit Office shall be documented
utilizing the Supervision Checklist proforma within the AQMF document.
Furthermore, the Draft Framework for Field Supervisory, Monitoring Officers in
the light of Audit Reforms Committee shall be referred to for compliance.
3. Supervisory Officers shall closely monitor the proceedings and progress of the
Field Audit and the teams conducting those audits. They shall further certify
that all risk areas highlighted in the RAD have been covered. They shall also
be available to be contacted for guidance during the field work. Audit
Procedures / Steps as per FAM may be adhered to strictly and documented
accordingly.
4. Field Audit Teams shall submit AIRs along-with PDPs to respective Supervisory
Officer within 10 working days from the completion of the audit.
5. Supervisory Officer shall scrutinize the AIRs and PDPs and shall submit the
scrutinized AIR / PDPs to Director General / Director within 10 working days of
receipt of AIR/PDPs.
6. After approval of AIRs and PDPs by the Director General, the AIRs shall be
issued to the audited entity over the signature of Director General by Audit
Report Section within 05 days of approval.
7. Approved PDPs shall be issued to the respective Principal Accounting Officer
by Audit Report Section in Batches.
8. Supervisory Officers shall also be responsible for finalization of Audit Reports
concerning to departments/area of their supervision.
9. All Supervisory Officer shall collect from Inspecting Officer, cases of fraud and
corruption and report the same to Director and Director General after proper
scrutiny.

160 |
Supervision Plan
A Supervision Plan shall be designed and observed according to the following table:
S. Departments/Jurisdiction of
Name and Designation Visit Dates
No. Supervision
1.
2.
3.
4.
• Roles between different designations will need to be clearly defined with no
overlap in-between different designations.
• Visit dates for senior designations shall be designed in a way to allow for
supervisory visits within reasonable timeframes to direct and assist the field
team in smooth execution of the audit.

161 |
Budgeting
Budget and Actuals may be incorporated in AIR in following two patterns, keeping in
view the requirements of the Audit Plan and Annual Audit Report. This information
may also be sent to PM&E Section as soon as possible during audit of each formation.
For better apprehension and uniformity, an illustration is attached.
(A) Non-development
Non- Development Revenue Total
Salary
Salary
Budget
Actuals

Acquisition of
Civil
(B) Physical Assets Misc./Others Revenue Total
Works
(procurement)
Budget
Actuals

162 |
SOP for Non-Production of Records
This section deals with the methodology of acquiring relevant information from the
audited formation, in order to ensure its smooth execution.
i. The Inspection Officer In-charge Field Audit Team will send a Communication
Letter/Intimation Letter to the Head of the Audited Entity along with
tentative/general requisition of record and necessary information required, as
soon as reasonably possible after receipt of Tour Programme.
ii. The copies of the intimation letter shall be endorsed to next higher officers.
Evidence of dispatch / receipt shall be kept on record.
iii. On the very first day of commencement of audit, specific requisition of record
shall be served to the Head of the Audited Entity for the audit purpose and be
acknowledged. Copy of the same shall also be endorsed to the next higher
authority.
iv. In case of failure of production of record on first request, a reminder will be
given on the second day and reasons for non-production of record be sought
and documented.
v. A copy of reminder shall also be sent to the Head Office and next higher officer
of the audited entity.
vi. If default continues on the third day, field audit team shall report it to the Head
Office for taking up the matter with Head of the Audited Entity.
vii. If no response is received within a day, Head Office shall take up the matter
with PAO under intimation to the Deputy Auditor General concerned.
viii. If no response is received within a day, the field audit team shall serve para for
non-production of record including details of record and efforts made for
production of record. Thereafter, the field audit team shall leave the formation
after getting approval from Head Office and revision of Tour Programme.

163 |
Exit Meeting with Management
The following steps are intended to streamline and assist the audit team in closing of
their Field Audits. The following measures are intended as suggestions; however,
based on the coordination / responsiveness of the audited entity, the audit team may
alter their approach towards the closing of the field audit through (documented)
consultation and approval of the Director.
i. The Audit Officer should have provided audited entity management with copies
of audit observations immediately after Supervisory Officer’s review.
ii. The Audit Officer shall make a formal request to the Head of the Audited Entity,
two to three days before the closing date of audit, to provide a written response
and arrange an Exit Meeting on the closing date to discuss the audit
observations in the light of written responses.
iii. Such request shall be addressed to the Head of the Audited Entity by name
and be acknowledged by the same.
iv. A copy of all audit observations shall be enclosed with the request.
v. Concluding Para/Discussion Note shall be signed from the Head of the Audited
Entity.
vi. It shall be emphasized in the request to the Head of the Audited Entity that the
discussion of the Exit Meeting be result-oriented and logical for both the parties
involved, but only if the responses are provided by the management in a written
form.

164 |
Illustrations
Any illustrations to assist the audit team can be illustrated in the blank space below.
These can vary depending upon the nature of the entity and the risk areas to be
covered by the audit teams. Illustrations can include formats utilized by the entities for
their reports, such as Budget vs Actual Expenditure statements.

165 |
Annexure F.2.3: Staff Roster for Job Rotation

Name of FAO Review Period

Prepared by Asst. AO Preparation Date
Reviewed by AO Review Date

The name of the field audit team lead should be inserted in the table for each year (last five years).

Sr. When last

Dept. Formation Category 20XX-XX 20XX-XX 20XX-XX 20XX-XX 20XX-XX
No. audited
*Name* *Name* *Name* *Name* *Name*

166 |
Annexure F.2.4: Permanent & Planning File Updation Summary

Name of FAO Review Period

Prepared by DD Preparation Date
Reviewed by Director Review Date

This report is to be prepared at the end of planning phase to update Director regarding significant changes in the permanent file and how the
Deputy Director has responded to these changes.
Sr Permanent File Description of Change Impact of Changes on Planning/ Execution of
No. Ref # Audit, if any

This table is to be prepared at the end of planning phase to update Director regarding significant changes in the planning decisions, planned
audit focuses and audit steps from previous years and how the Deputy Director has responded to these changes.
Sr Planning File Ref Description of Change Impact of Changes on Planning Decision, Planned
No. # Audit Focuses and Audit Steps

167 |
Annexure F.2.5: Report for Quality Control Review of Permanent & Planning Files

Name of FAO Review Period

Prepared by DD Preparation Date
Reviewed by Director Review Date

This report is to be prepared at the end of planning phase. The purpose is to ensure that Permanent Files and Planning Files are timely
prepared/updated for planned audit assignments. This report shall warn the top management to take corrective actions before the commencement
of the audit execution. The columns may be adjusted to incorporate the nature of audits performed by the particular FAO.

Permanent Planning Files

Name of Files Compliance Audit Performance Audit Financial Audit
Entity Total
Notes
(PAO Audits Prepared / Prepared/ Prepared / Prepared/
wise) Updated Total Updated Total Updated Total Updated
(Y/N) (No.) (No.) (No.)
CDA 20 Y 5 4 5 5 10 10 See Note 1

*The above contents in the first row serve as an example. Note 1 shall include details of why only 4 planning files were planned / updated against a total of 5 compliance
audits.

Notes:

168 |
 Are all working papers present as per Permanent File Checklist? (Y/N)
Are all working papers present as per Planning File Checklist? (Y/N)

This report is prepared to point out non-compliance of quality controls on Permanent Files and Planning Files. This is to be prepared for each
planned audit assignment at the end of the Planning Phase. Corrections are to be made before start of the Execution Phase. This report shall
warn the top management to take corrective actions before the commencement of the audit execution.
No. W/P Ref No. Non Compliances Identified
Permanent File

Planning File

169 |
Annexure F.2.6: Summary of Quality Control Review Report of Permanent & Planning Files

Name of FAO Review Period

Prepared by Director Preparation Date
Reviewed by DG Review Date

This report is to be prepared at the end of planning phase. The purpose is to update concerned DAG exceptions identified during Quality Control
Review of the Planning phase. This report shall warn the top management to take corrective actions before the commencement of the audit
execution.

1. Permanent files of following audit entities were not updated by the end of the planning stage.
Name of Entity (PAO
Reasons Corrective / Preventive measures taken by FAO
wise)

2. Planning files of following audit entities were not updated by the end of the planning stage.
Name of Entity (PAO Name of Audit Corrective / Preventive measures taken
Reasons
wise) Assignment by FAO

170 |
 3. Significant Non-Compliances of Quality Controls Pertaining to Permanent Files and Planning Files.
Name of Audit Corrective/ Preventive measures taken
No. Description of Non Compliance
Assignment by FAO

171 |
Annexure F.2.7: Template for the Implementation Matrix of the DAGP Strategic Plan

This table shall serve as a possible implementation matrix the DAGP may use in the Strategic Plan. The implementation matrix shall be filled by
the SC appointed to oversee the implementation of the DAGP’s Strategic Plan.

Goal 1:

Output Critical Success

Objectives Key Activities Timeframe Funding Source Responsibility
Indicators Factors

172 |
Annexure F.3: Execution
Annexure F.3.1: Quality Control Review of Execution File & Reporting File

Name of FAO Review Period

Prepared by DD Preparation Date
Reviewed by Director Review Date

Are all working papers present as per Execution File Checklist? (Y/N)
Are all working papers present as per Evaluation & Reporting File Checklist? (Y/N)
This report is prepared to point non-compliance of quality controls on Execution file and Reporting File. This is to be prepared for each planned
audit assignment at the end of Execution Phase. Corrections are to be made before finalization of report.
No. W/P Ref No. Non Compliances Identified
Execution File

Reporting File

173 |
Annexure F.3.2: Execution File: Significant Issues Identified during Execution

Name of FAO Review Period

Prepared by Asst. AO Preparation Date
Reviewed by AO Review Date

This report is to be prepared within one week of the completion audit execution phase for each audit entity to update Director regarding significant
reportable issues identified during the execution of audit with respect to planned audit focuses.
Sr.
Focus Area Audit Para Ref. Description of Significant Issues
No.

174 |
 Annexure F.3.3: Monthly Status Report of Audit Plan

Name of FAO Review Period

Prepared by Director Preparation Date
Reviewed by DG Review Date

Prepared to ensure that the formations are being audited and the Audit Inspection Reports (AIRs) are being issued on timely basis as projected
in the audit plans. If the concerned DAG deems it appropriate, the FAO may prepare it at a higher frequency (such as on a fortnightly basis).
Status of Activity – Annual Audit Plan 202X
Recovery Recovery No.
No. of No. of No. of
S. Revised Not AIRs PDPs Pointed out Effected of Remarks/Reason for
Type of Audit Audits Audit Audit in
No. Targets Started Issued Issued (PKR in (PKR in DAC Deviation
Planned Completed Process
millions) millions) Held

Notes:

Financial Audits to be executed:

S.
Department Formation Name of IO Date Status
No.

175 |
Special Assignment (Performance audits / Other audits) to be executed:
S.
Assignment Dates Status Remarks
No.

Compliance Audit to be executed:

S.
FAT No. Headed by Formation Date from Date to AIR Issued on
No.

176 |
Annexure F.3.4: Summary of Quality Control Review of Audit Execution & Reporting

Name of FAO Review Period

Prepared by Director Preparation Date
Reviewed by DG Review Date

This report is to be prepared at the end of execution phase. The purpose is to update concerned DAG, exceptions identified during Quality Control
Review of the Execution & Reporting phase.

1. Following Audits were not completed by the timelines given audit plan.
Corrective/
Audit was Delayed
Type of Audit Preventive
Name of PAO Name of Formation by Reason for Delay
Assignment measures taken by
(number of days)
FAO

2. Significant Non-compliances of quality controls pertaining to Execution Files and Reporting Files.
Name of Audit Corrective/ Preventive measures taken by
No. Description of Non Compliance
Assignment FAO

177 |
Annexure F.3.5: Supervision Checklist

Note: This checklist may be tailored according to the context of the FAO / audited entity as deemed appropriate.
The table should be filled in by the Supervisory Officer:

Remarks
Sr.
Information Required (Supervisor Officer shall give detailed remarks against
No.
each point)
1 Name of FAO:
2 Name of Officer:
3 Designation:
4 Date of Visit/Supervision:
5 Name of Entity/Formation:
7 Were all team Members present?
8 Names and Designations of those absent:
Was team following audit programme given by the head of
9
FAO?
Was team conversant with the Guidelines Given in the audit
10
plan/Field Audit Instruction?
11 Number of observations issued by the team till date of visit:
Observations noted were duly supported with documentary
12
evidence?

178 |
 Remarks
Sr.
Information Required (Supervisor Officer shall give detailed remarks against
No.
each point)
In case of non-production of record, did the team bring it to
13
the notice of supervisory officer / head of FAO?
Were all risk areas identified in RAD scrutinized by the Field
14
Audit Team?
Were all areas identified by the supervisory officer to be
15 scrutinized by the Field Audit Team during the audit
attended?
Was the team preparing working papers concurrently?
16 Any comments on implementation of FAM Working Paper
Kit?
Did the audit team follow applicable DAGP standards?
17
(List the applicable standards and those that were followed)
Whether Planning File has been updated by the Field Audit
18
Team?
Did the supervisory officer meet the head of audited
19
organization?
Did the head of audited organization have any complaint
20
against the audit team?
Would audit be completed in given time or extension would
21
be required?

179 |
Further Remarks:

Signed by supervisory officer:

Signature of Head of Office (i.e. DG):

Countersigned by the Deputy Auditor General:

180 |
Annexure F.3.6: Record of Consultation

Client:

Year/Period end:

Problem to be considered:

Name of consultant used and reason for selection:

Actions discussed

Conclusion:

Prepared by: Date:

Reviewed by: Date:

181 |
Annexure F.3.7: Certificate of Quality for the Audit Report (Financial
Audit)
This certificate should be signed by the DG and submitted alongside the audit report to QAI&M
Wing for it to undergo quality assurance.
AUDITOR-GENERAL OF PAKISTAN
Name of Audit Report: __________________________________
Audit Period: _________________________________________
Review Period: ________________________________________
I hereby confirm that I have personally read the final draft of this [give the title and year] Audit
Report and to the best of my knowledge the report is in conformity with DAGP standards. In
particular:
1. The audit opinion is consistent with overall error evaluation.
2. The entity officials are in agreement with the findings, conclusions and
recommendations contained in the report. If not, the underlying reasons are clearly
documented.
3. All the information including background description in the report is supported by proper
evidence.
4. All significant issues, exceptions, or notes raised during the audit not included in the
audit report been followed up and resolved and their resolution has been properly
documented and filed in the working paper files duly signed by the competent authority.
5. Relevant Working paper files are prepared in accordance with provisions of FAM.

I understand that any deviation from aforementioned assertions would be reflected in my PER.

Name of FAO __________________

Name of DG ___________________
Date _________________________

182 |
Annexure F.3.8: Certificate of Quality for the Audit Report (Other
Audits)
This certificate should be signed by the DG and submitted alongside the audit report to QAI&M
Wing for it to undergo quality assurance.
AUDITOR-GENERAL OF PAKISTAN
Name of Audit Report: __________________________________
Audit Period: _________________________________________
Review Period: ________________________________________
I hereby confirm that I have personally read the final draft of this [give the title and year] Audit
Report and to the best of my knowledge the report is in conformity with DAGP standards. In
particular:
1. Report is prepared in conformity with the prescribed reporting template
2. All the information including background description, tables and statistics in the report
are supported by proper evidence.
3. Proper proof reading of the audit report has been carried out.
4. The audit report addresses all and only significant issues identified during field audit
activity.
5. All significant issues identified during the audit, but not included in the audit report, have
been followed up and resolved. Proper documentation of all resolved issues has been
maintained
6. Relevant Working paper files are prepared in accordance with provisions of DAGP
Standards.

I understand that any deviation from aforementioned assertions would be reflected in my PER.

Name of FAO ___________________

Name of DG ____________________
Date __________________________

183 |
Annexure F.3.9: Certificate of Quality for the Updated Audit Report
after QAC (All Audits)
This certificate should be signed by the DG and submitted alongside the revised/updated
audit report to QAI&M wing after QAC review for approval of Auditor General of Pakistan
through DAG concerned.
AUDITOR-GENERAL OF PAKISTAN
Name of Audit Report: __________________________________
Audit Period: _________________________________________
Review Period: ________________________________________
I verify that I have personally read the final draft of audit report (give the title and year) and I
hereby certify that all the errors/omissions pointed out by External QAC have been rectified
and all agreed recommendations for improvements made by them have been incorporated in
the final draft being, submitted for the approval of the Auditor General of Pakistan.

Name of FAO ___________________

Name of DG ____________________
Date __________________________

184 |
Annexure F.3.10: Certificate of Quality for the Printed Audit Report
(All Audits)

This certificate should be signed by the DG and submitted alongside the five printed audit
reports for signature of Auditor General of Pakistan.
AUDITOR-GENERAL OF PAKISTAN
Name of Audit Report: __________________________________
Audit Period: _________________________________________
Review Period: ________________________________________
I verify that the printed audit report (give the title and year) has been compared with
approved manuscript and found correct.

Name of FAO ___________________

Name of DG ____________________
Date __________________________

185 |
 ► Annexure A: ISSAI 140

► Annexure B: QAI&M Mandate

► Annexure C: Quality Control & Assurance

Key Tasks and Responsibilities for DAGP
staff

► Annexure D: Terms of References for

Ethical Committees

► Annexure E: Summary of Quality Control /

Assurance Implications

► Annexure F: Templates for Quality Control

► Annexure G: Templates for Quality

Assurance

186 |
Annexure G.1: Quality Assurance at FAO-Level by QAI&M Wing
Annexure G.1.1: Post-Audit Quality Assurance Checklist

Name of FAO Review Period

Name of Audit Entity
Prepared by Preparation Date
Reviewed by DD Review Date

Audit
Item Yes No Review Comments
Stage
1. Have all FAO staff signed the Independence confirmation?
(Copy of the summary sheet should be available in the file)
2. Have all FAO staff signed the Code of conduct declaration?
(Copy of the summary sheet should be available in the file)
3. Has RAD been prepared covering all entities and duly approved?
(Evidence of RAD approval shall be available on the document)
Planning

4. Was staff rotation ensure while composing audit teams?

(Staff Roster for Job rotation shall be prepared and duly approved any changes to
the team shall be adequately documented and approved. Evidence shall be
maintained in the file)
5. Were the Field Audit Instructions issued to each audit team?
(Copy of FAI shall be maintained in the file)
6. Did the audit commence as per the timelines mentioned in the approved audit
plan?
(If case of delays, reasoning for delays shall be documented and approved by the
competent authority shall be on the file)

187 |
 Audit
Item Yes No Review Comments
Stage
7. Were permanent & planning Files updated for each entity in a timely manner?
(A copy of the filled and approved performa of “Permanent & Planning File
Updation Summary” shall be maintained in the file)
8. Was a quality control review carried out to ensure updation of Permanent &
Planning Files?
(A duly filled and approved copy of the performa for “Quality Control Review of
Permanent & Planning Files” shall be maintained in the file.)
9. Was a summary report on status of updation of permanent and planning files sent
to DAG for review?
(The performa for Quarterly Summary of Quality Control Review of Permanent &
Planning Files shall be duly filled and submitted for review)
10. Was a supervisory plan for supervisory visits prepared and approved?
(Copy of the supervisory plan should be duly signed and approved in the file or
the notification sent to field audit teams prior to the commencement of audits.)
11. Were supervisory visits conducted and corresponding supervisory checklists filled
and approved?
(Copy of the supervisory checklist duly signed and approved should be available
in the file.)
12. Was the monitoring of the audit plan adequately performed with any delays
adequately communicated and revisions approved?
Execution

(Evidence of Monthly Status Report of Audit Plan duly reviewed shall be

maintained in the file)
13. Was a quality control review of audit execution and reporting performed by the
FAO?
(A duly filled and reviewed performa of Exception Report for Quality Control
Review of Audit Execution and Reporting shall be maintained in the file)
14. Were the significant issues identified during the audit adequately documented and
reviewed?
(Evidence of review shall be maintained in the file)
15. Was a summary report prepared for the quality control reviews of audit execution
& reporting?

188 |
 Audit
Item Yes No Review Comments
Stage
(Evidence of review shall be maintained in the file)
16. Was an exit meeting was formally conducted and documented?
(Meeting minutes of the exit meeting shall be formally documented)
17. Were PDPs adequately reviewed and evaluated as per associated risk and
materiality?
(Evidence of discussion/meeting minutes shall be duly maintained in which PDPs
have been discussed and evaluated)
Reporting & Evaluation

18. Was an Audit completion checklist prepared?

(The filled and reviewed checklist shall be available in the file)
19. Was DAC meeting held in a timely manner?
(Minutes of the meetings shall be available in the file)
20. Was the draft report updated after receiving comments from DAC?
(Evidence of draft report updation and submission for review shall be maintained
in the file)
21. Was the follow-up of the draft audit report performed for QAC meeting(s)?
(Evidence of draft report updation and submission for review shall be maintained
in the file)

The following non-compliances were identified;

No. W/P Ref No. Non Compliances Identified

189 |
Annexure G.1.2: Cold File Quality Assurance Review of Audit

Name of FAO Name of Audit Entity

Review Period Approved by DG
Prepared by Preparation Date
Reviewed by DD Review Date
Reviewed by Director Review Date

Note: This checklist may be tailored according to the nature of the audit as deemed appropriate.

Description of Task Yes No Remarks

Planning
Was the entity / formation part of the approved audit plan?
Was the selection of entity / formation in the audit plan in line with the risk
assessment carried out in RAD?
Is there evidence in the file that the auditors worked with the internal auditors to
coordinate their audit plans and to reduce the total audit effort?

Does the audit plan contain the following information:

a) Overall objectives for the audit?
b) Overall scope of the audit?
c) The materiality and planned precision amounts?
d) Audit risk?
e) Significant audit components?
f) Inherent risk assessments for all specific financial audit objectives and related
compliance with authority objectives for all significant components?

190 |
 Description of Task Yes No Remarks
g) Control risk assessments for all specific financial audit objectives and related
compliance with authority objectives for all significant components?
h) Sources of audit assurance for all specific financial audit objectives and
related compliance with authority objectives for all significant components?
i) Budget (in total audit days)?
j) Staff allocations to each component?
A time schedule showing estimated start and completion dates for each phase of
the audit?
k) Approved audit programmes that contain:
i. Specified audit procedures?
ii. Sample(s) (either a list of those selected or the proposed methodology to select
them)?

Does the audit plan include:

a) An appropriate use of computer-assisted auditing techniques (CAATs)?
b) An appropriate use of internal audit?
If any adjustments were subsequently made to the audit plan:
a) Were the audit programmes updated to reflect the amendments?
b) Were all significant amendments approved?
Is there evidence that the audit staff members performing the work were aware of
the contents of the audit plan?
Were entity officials informed about the audit before it commenced?
Did the audit team provide entity officials with a list of schedules, documents, to
provide? If yes, was this list provided well in advance of the commencement of the
audit to provide entity officials time to assemble the requested information?
Overall, did the documentation of the understanding of the audit entity and the
planning decisions that were made appear to be reasonable? Consider:
a) Was there a permanent file, a planning file and an audit planning
memorandum?
b) Were the appropriate forms used and were they approved?
c) Did the documentation appear to be complete?

191 |
 Description of Task Yes No Remarks
d) Did the documentation appear to be excessive, (i.e. was there irrelevant
material in the files)?
2. Overall, does it appear as if the audit plan would provide sufficient and
appropriate audit evidence to provide the required amount of assurance? (If
no, provide examples to support conclusions.)
3. Overall, does it appear as if the mix of tests of internal control, analytical
procedures and substantive tests of details provide a cost-effective source of
assurance for all significant components? (If no, provide examples to support
conclusions.)
4. Overall, was the planning of the audit well done? (If no, provide examples to
support conclusions.)
Performing the Audit
Was the progress against the plan monitored?
If so, did the monitoring include:
(a) Resources expended (in days/hours)?
(b) Passage of time (start and end dates for each phase, etc.)?
Is there evidence on file of regular progress meetings?
If significant delays were incurred, were they well documented?
Was the audit work completed within budget?
If not:
a) Were the overruns adequately explained?
b) Do the explanations appear reasonable?
Is there adequate evidence in the working paper files to indicate that the planned
work was completed correctly?
Do the working paper files include:
a) An easy to follow table of contents?
b) Cross references from financial statements to where the supporting evidence
can be found?
Are the working papers neat, clearly written, and well presented?
Does each working paper include, to the extent required to avoid ambiguity:

192 |
 Description of Task Yes No Remarks
a) Clear file numbers and names of the audit areas?
b) The period covered by the audit?
c) The name or initials of the auditor?
d) Sources and dates of documents obtained?
Is there evidence that the auditors were provided with appropriate supervision given
their level of experience?
Is there evidence on file of review by the supervisor (e.g., pages of working paper
files initialled, memos on file indicating supervision)?
Evaluating the Audit Results:
Was the planned level of overall assurance achieved for each specific financial
audit objective and each related compliance with authority objective for each
component?
Have all errors, authority violations or other reportable matters found in samples
been projected over the population from which they were selected?
Have upper error limits been determined for each component?
Has an overall error evaluation (reaching conclusions about each component and
then about the financial statements as a whole) been performed?
Reporting
Is the audit opinion consistent with overall error evaluation?
Does the audit opinion contain reservations for all applicable matters?
Were entity officials properly briefed about the contents of the audit opinion?
Was the process of issuing the opinion performed in a timely manner?
If not, were the delays:
a) Documented?
b) Justifiable?
Were entity officials generally in agreement with the opinion being issued?
If not, were the underlying reasons clearly documented?
For each audit report and management report issued:
Were entity officials properly briefed during the clearing process?

193 |
 Description of Task Yes No Remarks
Was the process of issuing the report performed in a timely manner?
If not, were the delays:
a) Documented?
b) Justifiable?
Were entity officials generally in agreement with the findings, conclusions and
recommendations contained in the report?
If not, were the underlying reasons clearly documented?
Was there any information (including background description) in the report that was
not supported by evidence on file?
Does the report follow an appropriate structure, such as observation/findings,
conclusions, recommendations, and entity comments?
Are the observations grouped by cause or by functional area?
Where the report is fairly long, say more than 10 or 15 pages, is there an executive
summary?
Is each matter being reported:
a) Briefly and clearly described?
b) Relatively free of technical jargon?
Are the recommendations:
a) Practical?
b) Put in proper context?
Can any savings be claimed as a result of the audit?
If so, is the estimate of the savings:
a) Well documented?
b) Reasonable?
Overall, is the report:
a) Well written?
b) Apparently useful?
Is the audit report sufficiently concise that Parliamentarians, the Public Accounts
Committee, the media, etc. would find it of interest to read?

194 |
 Description of Task Yes No Remarks
Have minor matters been kept out of the published audit report? (They could have
been reported in a management report.)
Are there any “lessons learned” from this audit (both positive and negative)?
Do you have any recommendations with regard to the Audit Manual, the Standard
Audit Working Paper Kit, the Audit Guides, or other related material?
Are there any recommendations regarding:
a) Training of DAGP staff?
b) DAGP’s organisational structure?
c) DAGP’s supervision procedures?
d) Communications (within DAGP and with entity)?
e) Team characteristics (e.g., need for external expertise, size, composition)?

195 |
Annexure G.1.3: Summary of Quality Assurance Review Observations

Name of FAO Review Period

Name of Audit Entity
Prepared by Preparation Date
Reviewed by DD Review Date

Prepared to identify key quality assurance review observations with the inclusion of FAO responses.

FAO’s Management Further Action Required

Ref. No. Nature of Weakness
Response by FAO

196 |
Annexure G.1.4: Summary Review Memorandum

Name of FAO Review Period

Name of Audit Entity
Prepared by Preparation Date
Reviewed by DD Review Date

Highlighting only medium and high risk observations

Agreed by
QAP the FAO Implications Following up action plan/
Ref. Nature of Weakness Management Recommendation
No.
Y/N Planning Execution Reporting

197 |
Annexure G.1.5: Follow-up Continuity Schedule

Name of FAO Review Period

Name of Audit Entity
Prepared by Preparation Date
Reviewed by DD Review Date

This is prepared to check progress on each action plan / recommendation agreed by management for the previous post-audit quality assurance
review.

QA Previous Period
Report Observation Action Plan Agreed by Period of Proposed Future Year Follow
Ref. Progress so far
the Management Correction up Planned
Nature of Weakness

198 |
Annexure G.1.6: Post-audit Quality Assurance Mapping Plan

Review Period
Prepared by DG Preparation Date
Reviewed by DAG Review Date

This table shall be used to identify the teams that shall visit each FAO. These teams should have a mix of experience so as to be able to
perform an effective post audit quality assurance of the various types of audits conducted by each FAO.

Sr QA Name of FAO Names Designation Qualification Past Experience Remarks

No. Team

1
1
2

This table shall be used to determine the number of audits planned for each nature of audit assignment and determine those audits that are
incomplete and would require the usage of the previous year’s audit file. Audits conducted outside the FAO’s approved audit plan must be
included as well. This table should be created for each FAO.

Name of FAO: XX
Sr Audit Assignments Audit Plan 20XX-20XX
No. Planned Completed Ongoing
1. E.g.: Financial Attestation Audits 15 14 01
2.

199 |
Details of each audit should be listed below to determine their names and establish which audits will have their previous year’s audit file used
so that this can be taken into consideration during the next year’s post-audit quality assurance plan. This table should be created for each type
of audit for the FAO.
Type of Audit Assignment: E.g.: Performance Audits
Previous Year’s
Sr No. Name of Completed Audit Audit Period Assigned Personnel Audit Period
Reviewed
1. E.g.: Performance Audit of Telecom Foundation E.g.: 2021 – 2022 E.g.: 2020 – 2021

200 |
Annexure G.2: Quality Assurance Conducted Centrally by
QAI&M Wing
Annexure G.2.1: Report on Post-Audit Quality Assurance

Name of FAO: ___________________________

Review Period: _________________________________
This report should be prepared by the inspection team from QAI&M Wing with the purpose of
providing an executive summary; the context of the audited entity and FAO; the types of
assignments subjected to the post-audit quality assurance review; the objective, scope and
methodology of the post-audit quality assurance review; the findings of the Director during
their reviews; the findings of the team during the quality assurance review (Annexure G.1.3 &
G.1.4) and the previous post-audit quality assurance review report’s follow-up (Annexure
G.1.5).
Content of the Report
Introduction

• Background of the Report (including objective)

• Context of the FAO
• Context of the Audited Entity
• Approach and Methodology
• Scope of work (including sample of audit assignments reviewed)
Executive Summary
Note: the findings shall be on the basis of the Post-audit Quality Assurance Checklist
(Annexure G.1.1), Summary of Quality Assurance Review Observations (Annexure G.1.3),
Summary Review Memorandum (Annexure G.1.4), Follow-up Continuity Schedule
(Annexure G.1.5).

• Summary of Key Findings

• Summary of Follow-up Continuity Schedule
Detailed findings

No. of
S. Action Plan Current
Description exceptions
No. Agreed Status
noted

201 |
Follow-Up Continuity Schedule

S. Implementation Further Action

Issue Noted during Last Review
No. Status Required (if any)

Recommendations
Note: on the basis of key findings, recommendations shall be prepared to address them.

Annexures (if any):

202 |
Annexure G.2.2: Annual Report on Post-Audit Quality Assurance

Review Period: _________________________________

This report should be prepared by the inspection team from QAI&M Wing with the purpose of
providing an executive summary; the objective, scope and methodology of the post-audit
quality assurance review; the name and number of FAOs along with audit assignments
reviewed; the summarized findings of the post-audit quality assurance review with descriptions
of areas that need improvements as well as the corrective measures needed to address them
and, finally, the follow-up of previous reports.
This annual report will combine all post-audit quality assurance reports for the approval of the
AGP.
Content of the Report
Introduction
• Background of the Report (including objective)
• Approach and Methodology
• Scope of work (including sample of audit assignments reviewed and number of FAOs
visited)
Executive Summary

• Summary of Key Findings

• Summary of Follow-Up Continuity Schedule
Detailed Findings

No. of
S. Action Plan Current
Description exceptions
No. Agreed Status
noted

Follow-Up Continuity Schedule

S. Implementation Further Action

Issue Noted during Last Review
No. Status Required (if any)

203 |
Recommendations
Note: on the basis of key findings that tend to repeat themselves across all FAOs,
recommendations shall be prepared to address them.

Annexures (FAO Wise):

Name of FAO
No. of
S. Action Plan Current
Description exceptions
No. Agreed Status
noted

204 |
Annexure G.2.3: QAC Meeting on the Audit Report (Financial Audits)

AUDITOR-GENERAL OF PAKISTAN
Name of FAO: ______________________________
QAC Meeting Date: __________________________________
Period Under Review: ________________________________________

This program is to be used for QAR of the Financial Audit Reports.

The review should be conducted by reviewing the Audit Report, related quality assurance
documents, Internal QAC minutes and related working paper files.

Yes/ Audit Review Max.

Marks
Description No/ W/P File Marks
Obtained
N.A Ref. Ref. Assigned

1. Is the audit opinion consistent with

overall error evaluation? i.e. it is
consistent with;

a) Internal Control Weaknesses

impact analysis,

b) Evaluation of analytical
procedures,

c) Evaluation of Internal Control

deviations - Evaluation of sample
results,

d) Evaluation of Substantive tests-

Projectable errors for sample,

e) Evaluation of Substantive tests –

Non-Projectable errors,

f) Substantive tests evaluation –

summary

g) Achieved level of assurance,

h) Errors in each component,

i) Overall errors in Financial

Statements,

Does the audit opinion contain reservations for all applicable matters?

Scope limitation

When the auditor:

205 |
 • was unable to perform specific tests
and procedures and obtain certain
audit evidence; and, as a result,
• was unable to determine whether or
not there has been a departure from
the government’s accounting
principles that materially affects the
financial statements.
A scope limitation had occurred,

• If this scope limitation or uncertainty

was so fundamental, pervasive or
significant that a qualified opinion was
not adequate, a disclaimer was given.

• The wording of the disclaimer makes

it clear that an opinion cannot be
given.

• The scope paragraph is amended

accordingly to incorporate the scope
limitation.

• A reservation paragraph should be

inserted between the scope
paragraph and the opinion paragraph.

• The reservation paragraph should

clearly and concisely describe the
reason for the disclaimer.

• If the matter was not that much

pervasive and fundamental, the
auditor report contains a reservation
paragraph between scope paragraph
and opinion paragraph,

If yes, then the matter is explained

clearly and concisely

• The opinion and scope paragraph

are amended accordingly.

• In the case of an audit involving

more than one Ministry, identify the
specific Ministry (or Ministries) in
which the scope limitation has
occurred.

Departure from Government’s

N/A
Accounting Principles

Adverse Opinion

206 |
 • If the effect of Departure from
Government’s accounting principles
is fundamental and pervasive, then an
adverse opinion was given

Qualified Opinion
• If the matter was not that much
pervasive and fundamental, the audit
report contains qualification
paragraph between scope paragraph
and opinion paragraph,

• If yes, then the matter is explained

clearly and concisely,

• Its financial effect is quantified

• The opinion paragraph is amended

accordingly

• In the case of an audit involving

more than one Ministry, identify the
specific Ministry (or Ministries) in
which the monetary errors or
compliance with authority violations
occurred.

Total
(Marks cannot be allocated to 65
individual items. Marks will be
given only for correct opinion)

1. Do the working papers contain

signed copy of the financial
3
statements duly cross-referred with
the work papers?

2. The form and content of reports are

in accordance with established
8
procedures and formats approved by
competent authority.

3. Terminology used in report can be

easily understood by persons to
3
whom report is presented and
technical terms are fully explained.

4. All audit findings have been

evaluated in terms of materiality, 10
errors and other irregularities.

5. Were entity officials generally in

agreement with the findings, 8
conclusions and recommendations

207 |
 contained in the report? If not, were
the underlying reasons clearly
documented?

6. Was all information (including

background description) in the report 3
supported by evidence on file?
Total 35

208 |
Names of members who attended the meeting:

Sr. Attendance
Designation Name
No. (Signature)

DAG (QAI&M) (Chairman

1
QAC)

2 DG (QAI&M) (Secretary)

3 Director (QAI&M) (Member)

DG (Presenting the Audit

4
Report) (Member)

5 DD (Member)

6 Director (Member)

Conclusion:
________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________

209 |
Annexure G.2.4: QAC meeting on the Audit Report (Other Audits)

AUDITOR-GENERAL OF PAKISTAN
Name of FAO: ______________________________
QAC Meeting Date: __________________________________
Period Under Review: ________________________________________

This program is to be used for quality assurance review of other audit reports.
The review should be conducted by reviewing the Audit Report, related quality assurance
documents, Internal QAC minutes and related working paper files.
1. Whether the report is prepared in the prescribed format?
Yes/ Review Max.
Sr. Marks
Description No/ File Marks
No. Obtained
N.A Ref. Allocated

List of Acronyms is given.

Preface
1 Executive summary, 5

Audit Objectives, Scope and

Methodology is defined.

Classified Summary of Audit

10
Observations;

• Non-Production of Records,

• Reported cases of fraud,

embezzlement and misappropriation

• Irregularities,
2 A) HR / Employee related
B) Procurement related
C) Management of accounts with banks
D) Execution of works, contract
agreement

• Value for money and service delivery

issues

• Any other as per requirements of FAO

• Audit observations are arranged

Ministry/Department wise and within a
3 Ministry observation are classified under 2
the headings as prescribed in the
template.

210 |
 Each audit para follows the sequence as
prescribed in the template based on
Criteria, Condition, Cause, Effect and 10
Recommendation (CCCER) i.e. it
contains;

• Criteria,
• Observation,
4
• Cause/reasons,

• Implication,
• Management reply,

• DAC’s recommendations,

• Audit comments.

Sequence of paras is in terms of their

5 3
importance,
Total 30

2. Other Consideration as per Section 12 of FAM

Yes/ Review Max.
Sr. Marks
Description No/ File Marks
No. Obtained
N.A Ref. Allocated

Was the process of issuing the report

performed in a timely manner?

1 If not, were the delays: 10

a) Documented?
b) Justifiable?

Whether the audit report addresses only

2 5
significant issues?

Whether proof reading of the report has

been carried properly and is written in a
3 5
language which is clear, to- the-point and
understandable to the addressee?

Whether proper evidence to the effect

that efforts have been made to obtain
entity’s response on audit report is
available.
4 5
The audited entity’s responses have
been included in the report along with
‘Further Audit Comments’ where these
have been provided by the audit entity.

211 |
 Whether all the information (including
background description) in the report is
5 10
supported by proper evidence in
Working paper files?

Are the recommendations made in the

6 audit report are practical and pertains to 5
the cause mentioned in the Audit Para?

Have all significant issues, identified

during the audit and not included in the
audit report been followed up and
7 resolved? Have resolution of the above 5
been properly documented and filed in
the working paper file duly signed by the
competent authority.

Whether causes of errors/irregularities

have been properly identified and relate
8 to condition identified in the Para as well 5
as the commentary on internal controls
given in the audit report.

Relevant Working Paper files are

properly referenced and contain all
9 5
necessary evidence against planned
audit focuses.

Compliance with AGP directives; 15

a. Comments on the state of internal

controls in the audited entity,
specifically pointing out controls that
are weak;
b. Effectiveness of internal audit
departments of audited entity must
be commented upon; and
c. Disclosure of recoveries made in
executive summary segregating
recoveries made on the pointation of
10 auditor and those were already in
the notice of management but
realized due to audit.
d. Mention of usage of CAATs during
audit in executive summary how the
efficiency and effectiveness of audit
was improved as a result of CAAT,
e. Percentage of receipts /expenditures
audited to be shown in executive
summary,
f. Any change in laws, rules and clients
operational procedures to be
mentioned in executive summary,

212 |
 g. Comparison of audit planned and
actual achievements to be
mentioned in executive summary,
h. Sample size selected for audit to be
mentioned in the executive
summary,
i. Cost & service delivery of audit to be
shown in executive summary,
j. Inclusion of a Sectoral Analysis
including issues related to public
financial management,
k. Any other directive issued specific to
the particular FAO.
Total 70

Names of members who attended the meeting:

Sr. Attendance
Designation Name
No. (Signature)

DAG (QAI&M) (Chairman

1
QAC)

2 DG (QAI&M) (Secretary)

3 Director (QAI&M) (Member)

DG (Presenting the Audit

4
Report) (Member)
5 DD (Member)

6 Director (Member)

Marks Obtained: ______________________

213 |
Annexure G.2.5: Certificate of Quality for the Audit Report

FAO Name: ___________________ Date of QAC Meeting: ___________________

Period Under Review: ______________________

Names of members who attended the meeting:

Sr. Attendance
Designation Name
No. (Signature)

DAG (QAI&M) (Chairman

1
QAC)

2 DG (QAI&M) (Secretary)
3 Director (QAI&M) (Member)

DG (Presenting the Audit

4
Report) (Member)
5 DD (Member)

6 Director (Member)

Grading of Report
I have conducted the Quality Assurance Review of the report in accordance with the “Audit
Quality Management Framework”. The review was conducted to evaluate the audit report;

• through the checklist placed at Annexure G.2.3 (for Financial Attest Audit Report) or
G.2.4 (for Other than Financial Attest Audit Report) of the Framework,
• examining, on a test basis, evidence supporting the observations documented in the
audit report,
• considering the outcomes of the Quality Assurance Review of the Audit Cycle of
respective FAO.
I believe that my review provides a reasonable basis for the grades assigned to the report.

Grade Awarded
Grade (QAC Chairperson to Sign Relevant
Cell)
A – Excellent (Marks equal to or greater than
80)

B - Good (Marks from 70 to 79)

C - Due diligence was not observed in

carrying out audit. (Marks less than 70)

214 |