Compliance_Guidelines Audit Plan.pdf

Transcript

3. Compliance Audit Plan

3.1 Compliance with rules and regulations is the primary and the most important
requirement for ensuring accountability of the public executive. Decision makers
need to know whether relevant laws and regulations are being complied with,
whether they have achieved the desired results, and whether the accepted
standards of financial propriety are being adhered to; and if not, what corrective
action is necessary. It is imperative that compliance audits are planned to achieve
adequate coverage at an acceptably low level of audit risk, audit processes are
carried out in an economic, efficient and effective manner and result in a high quality
audit report. However, given the size of Government and its implementing arms and
the limited audit resources it is impracticable to plan for audit coverage of all audit
units in the audit universe-as defined at present. Proper planning and prioritisation
of compliance audits based on an appropriate risk assessment, is therefore,
paramount.
Audit Universe and Annual Compliance Audit Plans
3.2 Understanding the Audit Universe and prioritisation of compliance audits to be taken
up is essential, which is in itself a complex task, given the various layers of
Government and the Government implementing a significant number of programs
/schemes with various implementing agencies, some of which could even be private
sector entities. To implement the mandate entrusted to CAG by the Constitution of
India, we are expected to cover, over a reasonable period of time, all the
sectors/departments of the concerned State Governments/Central Government
wherever public funds are spent or revenues are generated or nation’s wealth or
resources are utilised. While the various departments/sectors are accountable for
policy formulation and implementation, the organisational hierarchies within each
Department /sector are typically organised as Directorates/Commissionerates,
zones, divisions, circles, ranges etc., and further down to the last mile implementing
agencies. All these units together implement the Government policy and expend
public money or collect public revenues and can be called as the audit universe. This
Audit universe is required to be broken down into audit units for the purpose of
planning and scheduling audits.
3.3 This requires top down, risk based, Department centric mechanism for macro level
planning and conducting compliance audits and preparation of annual compliance
audit plans by (a) defining the apex auditable entities and audit units and (b) risk
profiling. This exercise can provide a holistic view of functioning of the auditable
entities without the risk of dismissing audit findings as a random view and
statistically insignificant.

Compliance Auditing Guidelines – C&AG of India 12 | P a g e
 Defining the Apex Auditable Entities and Audit Units
3.4 A top down and risk based approach to identification of audit units intends to place
the Department/Sector as the centre piece of the audit focus and provide a scientific
mechanism of defining audit units. The Department / Sector in the State
Government or the Central Government being the top layer would be defined as the
Apex Auditable Entity5. Since policy formulation and oversight flow from the
Departments/Sectors (Apex Auditable Entities) and responsibility for implementation
of schemes/programs vests with the lower formations of the Government
(Directorates /Commissionerates/zones, divisions, circles, ranges etc.) a significant
portion of the risk is embedded in these layers, while the lowest layer is typically the
implementing arm and accountability for its performance invariably rests with the
higher organisational hierarchies. The top down approach for identification of audit
units mentioned in these guidelines therefore envisages that audit units are
identified beginning with higher organisational hierarchies of the Apex Auditable
Entity and fanning out to operational units at the field level.
3.5 The audit units may be defined based on the quantitative measures of devolution of
administrative and financial powers, the qualitative measures of functional
autonomy and operational significance attributable to the unit for achievement of
objectives of the Department. The devolution of powers would have to be
substantial and not limited to the routine delegation of powers for managing the
establishment and contingent expenses. This would ensure that the administrative
authority for allocation of funds and delegation of powers are at the centre of
compliance audit.
An Audit Unit is therefore defined as a unit, which has one or more of the following
attributes:
 substantial devolution of administrative and financial powers;
 functional autonomy; and
 operational significance with reference to achievement of objectives of the apex
auditable entity.
3.6 After determination of Audit Units based on the aforesaid parameters, the
organisational hierarchies and implementing agencies below the Audit Units are to
be categorised as Implementing Units. The Implementing Units are typically the last
mile service providers and implementation arms of Government, with very limited
delegation of financial and administrative powers - of contingent nature and for
managing establishment. These Implementing Units would be audited, based on a
sample selection, as a part of audit of their respective Audit Units. The process of

5
The Regulation 2 of the CAG’s Regulations of Audit and Accounts, 2007 defines Auditable entity as ‘’an office,
authority, body, company, corporation or any other entity subject to audit by the CAG’. The highest authority
or Head of Department under the audit jurisdiction of the Accountant General would be the Apex Auditable
Entity.

Compliance Auditing Guidelines – C&AG of India 13 | P a g e
 sample selection is explained in the subsequent sections. The envisaged typical
representation of Apex Auditable Entity, Audit Units and Implementing Units is
shown below:

Apex Auditable Entity
Department/Sector

Directorate Directorate
Commissionerate Commissionerate

Audit Units
Zonal Unit Zonal Unit Zonal Unit Zonal Unit

Circle/ Circle/ Circle/ Circle/ Circle/ Circle/ Circle/ Circle/
District/ District/ District/ District/ District/ District/ District/ District/
Divisional Divisional Divisional Divisional Divisional Divisional Divisional Divisional
Unit Unit Unit Unit Unit Unit Unit Unit

Implementing Units
Sub-Divisional Units/Implementing agencies

Legend
100% selection sample selection as appropriate

3.7 Preparation of audit universe by defining Apex Auditable Entity and Audit Units in
terms of these guidelines would be carried out by the respective Accountants
General in field offices. Each field office would be required to prepare an
organisation chart of the Departments to identify the audit units based on the
above parameters. The list of Audit Units and the Implementing Units would have to
be maintained in the field offices, which would henceforth form the basis of
planning compliance audits. While the above representation showcases
organisational structure from the State Government’s perspective, the central
functions such as Central Revenue, Railways, Commercial, Posts and
Telecommunications etc. and the Local Self Government – the Local Bodies shall
also define their Apex Auditable Entities and Audit Units keeping in view the
philosophy described in paras 3.4 to 3.6 above.

Compliance Auditing Guidelines – C&AG of India 14 | P a g e
3.8 With the evolving governance structure, the nation’s wealth/natural resources are
being dealt with not only by the Union, State or its instrumentalities but also by the
private parties, for delivery of public goods and services, it has become important
that these implementing agencies or service providers are made accountable to the
people and to the Parliament. These implementing agencies would also, therefore,
be included in the aforementioned category of implementing units.
Records of these implementing agencies are required be accessed through the
respective audit units. Detailed instructions of the procedure to be adopted for
access and audit of records of such agencies are contained in the Guidance Note
issued by Headquarters in this regard. However, the scope and extent of examination
of records of such implementing agencies will depend upon the applicable regulatory
framework including any contract/ agreement which the implementing agency may
have entered into with the government, professional standard or practice used by
the industry in which the entity operates and also judicial pronouncements.
Risk Profiling
3.9 The risk based approach to planning compliance audits is about focussing audit
efforts on the perceived high risk areas/activities. Risk profiling of the Apex Auditable
Entities and their Audit Units has to be done considering their structures, roles they
are expected to perform and compliance requirements. As governments and other
organisations transition into digital environment, they generate, process and store
voluminous data. Also, useful and relevant data in disparate forms and continuously
produced by various government and non-government agencies and entities. When
collated, they provide the contextual framework and valuable insight into the
functioning of an apex auditable entity. Capacity and infrastructure limitations have
so far restricted the reach of auditors in the big data environment. The advent of big
data marks a paradigm shift, which by design integrates data from various sources
and in various formats to transform data into actionable information. This aims to
enhance the efficiency and effectiveness of audits. IA&AD has adopted a Big Data
Management Policy to harness such opportunities. This policy is expected to
facilitate greater and deeper insights into the Apex Auditable Entity’s environment to
clearly identify risk areas and prioritise the audit units.
3.10 Apex Auditable Entities while being responsible for delivery of public goods and
services and expending public funds or collecting revenues may also be responsible
for administering and / or enforcing various laws, rules or regulations. At the same
time, these are also governed by various rules, laws and regulations. Similarly,
officials entrusted with management or stewardship of public funds and public
entities are expected to act with propriety in all matters concerning the discharge of
their responsibilities. Keeping all the above factors in mind, the field audit offices are
encouraged to apply the risk assessment methodology by evaluating high risk
areas/activities of these entities relating to:

Compliance Auditing Guidelines – C&AG of India 15 | P a g e
  Administration and/ or enforcement of laws, rules and regulations etc.,
 Compliance with applicable laws, rules and other authorities;
 Responsibility for government receipts and expenditure;
 Safeguarding of assets and liabilities;
 Prevention of losses and wastage, frauds, leakage of revenue;
 Promoting transparency, prudence and probity; and
 Internal control environment
3.11 The risk assessment methodology should include a review of the following:
 Latest socio-economic survey of the Centre/ State
 Current Budget & Demands for Grant
 Outcome budgets
 Five year plans and Working Group reports/ Annual plans
 Finance Commission Report
 Annual/ Performance/ Activity Reports of Ministries / Departments/
Companies and other information on Government websites
 Major policy announcements/initiatives of Government
 VLC data & Report on State Finances
 Finance & Appropriation Accounts
 Geographical location
 Past audit coverage
 PAC/COPU suggestions
 Court orders
 Audit Advisory Board suggestions
 Reports of Legislative Committees
 Changes in legislation
 Replies to questions given to the Legislature
 Past Audit findings/ Inspection Reports
 Media reports and visibility of topics
 Trend of expenditure and /or receipts
Preparing Annual Compliance Audit Plans
3.12 The exercise, as described above, would help in creating risk profile of the apex
auditable entities as well as audit units under these entities. Based on their risk
profile, the audit units should be prioritised for planning and conduct of compliance
audits. The risk profile of the audit units should be considered vis-à-vis the audit
capacity of the field office- in terms of availability of resources, and an annual Audit
plan of compliance audits to be taken up and completed during the year should be
prepared by each field office.
The field offices under the IA&AD conduct financial audits, performance audits and
compliance audits each year and the Annual Audit Plan of each office shall therefore
be prepared by adopting a holistic approach of covering Apex Auditable

Compliance Auditing Guidelines – C&AG of India 16 | P a g e
 Entities/Audit Units for each type of audit and leveraging common processes. The
Annual Audit Plan of each office would therefore indicate the Apex Auditable
entities/Audit Units for which compliance audits would be conducted. The outcome
of analysis of sanctions and vouchers by the Financial Audit Wing, detailed processes
of which are provided in the Financial Attest Auditing Guidelines for audit of State
Government Accounts and other existing manuals and instructions, can be leveraged
for planning compliance audits.
3.13 It must be the endeavour of the field offices to ensure coverage of all Apex Auditable
Entities in a reasonable period of time, between three to five years. The risk profile
of the audit units would have to be reviewed and updated periodically to assess
continued maintenance or to consider revision in the risk profile assigned to the
apex auditable entities and audit units based on new intervening developments,
changes and increase/decrease in irregularities noticed by various stakeholders, etc.
3.14 The formulation of annual Compliance Audit Plan would therefore require:
a. Updating the Audit Universe such that it comprises all units that qualify as audit
units. A separate inventory of implementing units under their respective Audit
units may be maintained.
b. Applying risk assessment methodology to the Apex Auditable Entities for arriving
at risk profile of the Apex Auditable Entities and Audit Units under these entities.
c. Preparing the annual Compliance Audit Plan by selecting audit units after
considering available audit resources. This would include a risk based selection
of Apex Auditable Entities and an appropriate sample of audit units at various
hierarchies and implementing units within each Apex Auditable Entity. The
selected sample of units shall be auditable both from the propriety and
regularity perspective. Where evaluation of high risk areas/activities against
regularity involves complexity and multifarious aspects, a specific subject matter
may be selected within the high risk area/activity for evaluation of compliance
against regularity.
3.15 Components of Annual Compliance Audit Plan
a. Selection of Apex Auditable Entities and Audit Units that would be taken up for
compliance audits;
b. Selection of Implementing units under the audit units as necessary;
c. Determination of specific subject matter, where considered necessary; and
d. Allocation of audit resources for the audits to be undertaken.
3.16 With the introduction of risk based approach to planning compliance audits,
tempered by the audit capacity of each field office, as envisaged in these guidelines,
the question of audit arrears would generally not arise.

Compliance Auditing Guidelines – C&AG of India 17 | P a g e
4. Planning Compliance Audits

4.1 A compliance audit has to be planned in a manner which ensures that a high quality
audit is carried out in an economic, efficient and effective way and in a timely
manner. Adequate planning will ensure that appropriate attention is accorded to
crucial areas of audit and that potential problems are identified in a timely manner.
It is essential that Auditors plan the audit with an attitude of professional scepticism
and exercise professional judgement. Further, auditors should possess the
knowledge, competence and skills to understand the compliance requirements that
apply to the auditable entities.
4.2 After the preparation of the annual Compliance Audit Plan as discussed in Chapter 3,
the process of planning for individual compliance audits commences. Individual
compliance audit, hereafter means audit of the identified Apex Auditable Entity
along with the selected Audit Units.
Planning for individual compliance audits
4.3 Planning for individual compliance audits includes preparing the audit strategy and
an audit plan. Preparation of audit strategy for the identified audit entity would
include:
 An understanding of the auditable entity and its internal control environment,
including the statutory, regulatory and legal framework applicable to the
auditable entity and the applicable rules, regulations, policies, codes, significant
contracts or agreements etc;
 An understanding of relevant principles of sound public sector financial
management and expectations regarding the conduct of public sector officials
for propriety related issues;
 Identification of the intended users, including responsible party and those
charged with governance;
 Consideration of materiality and risk assessment including suspected unlawful
acts or fraud;
 Determining the scope of audit with reference to the selected specific subject
matter, if selected, as well as proprietary concerns;
 Development of audit objectives for the specific subject matter, if selected;
 Identification of audit criteria for specific subject matter;
 Sampling considerations, specifically for implementing units below the selected
audit units; and
 Considerations related to direction, supervision and review of the audit team(s).
4.4 Once the audit strategy is in place, the audit plan could be prepared. The plan for the
identified apex auditable entity would include:
 Description of selected audit units;

Compliance Auditing Guidelines – C&AG of India 18 | P a g e
  Sample selection of implementing units under the selected audit units;
 Extent of audit in each selected unit;
 Timing of audit;
 Formation of audit team/s (in case more than one audit team is needed for the
auditable entity);
 Assignment plan detailing the duties of the audit team members;
 Planned audit procedures; and
 Potential audit evidence to be collected during the audit.
4.5 Both the overall audit strategy and the audit plan should be documented in the audit
file. Planning for individual compliance audits is a continual and iterative process.
The overall audit strategy and plan are therefore required to be updated as
necessary throughout the audit.
Scope of Audit
4.6 The scope is the boundary of audit. It defines “what to audit”, “who to audit”,
“where to audit” and “which period to audit”.
 What to Audit - The propriety issues are to be seen in all units selected to be
audited. However, the selected specific subject matter for regularity audit would
define the scope for “what to audit” and would also determine the criteria.
 Who to Audit - The issue of “who to audit” is decided by the predetermined
annual compliance audit plan as discussed in Chapter 3 that specifies the
auditable entity and selected audit units below the auditable entity.
 Where to audit - brings us to selection of units for audit within the auditable
entity, and also to the selection of transactions, areas etc. Sampling decisions
would be crucial for this stage.
 Which period to Audit - the period of audit to be covered would have to be
determined as per the risk assessment. In case of audit units, the period of audit
should ordinarily cover period from the previous audit to the current period.
However, specific circumstances may exist where current risk assessment reveal
areas of concern that warrant coverage of period included in previous audit(s).
In case of implementing units, the period of audit to be covered would
correspond with the audit period of audit units.
Compliance Audit Objectives
4.7 The overall Compliance Audit Objectives can be summarized as below:
 To assess whether the subject matter adheres to the formal criteria arising out
of the laws, regulations and agreements applicable to the auditable entity;
 To assess whether the general principles of sound public sector financial
management and ethical conduct have been adhered to; and
 Report the findings and conclusions to the responsible party, those charged with
governance, legislature and/or other parties as appropriate.

Compliance Auditing Guidelines – C&AG of India 19 | P a g e
4.8 The particular objectives of a compliance audit for the identified apex auditable
entity are to be derived from the scope of audit. Illustrative and not comprehensive,
instances of scope and detailed audit objectives of compliance audits are given
below:
Compliance Detailed audit objectives
audit scope
Contracting  Verify whether procurement was carried out as per extant
and rules and in accordance with delegated financial powers.
procurement  Verify whether financial propriety was ensured during the
stages of tendering, evaluation and award of contract.
Tax receipts  Verify whether assessments were in accordance with the
relevant tax laws and rules thereunder.
 Verify whether the assessed demands were collected and
properly accounted for.
Establishment  Verify whether payments in respect of salaries and other
audit entitlements were in accordance with the relevant rules and
instructions.
 Verify whether health center has been set up in accordance
Availability of with specified population norms.
infrastructure  Verify whether the necessary infrastructure facilities (medical
in Heath equipment, operation theatre, UPS, water supply, stock of
Department drugs, etc) have been provided as per Indian Public Health
Standards (IPHS).
 Verify whether the complement of doctors and other staff are
as per IPHS.
Plant  Verify whether the usage of power, fuel are as per approved
efficiency norms.
 Verify whether plant shutdowns are as per approved norms.
 Verify whether the production is as per the prescribed scale.
 Verify whether the installed capacity of the plant is designed
as per regulatory approvals.
 Verify whether the operation of plant complies with
environmental norms.
Corporate  Verify whether corporate social responsibility framework is as
social per regulatory approvals.
responsibility  Verify whether activities of corporate social responsibility are
as per corporate policy.
 Verify whether the corporate policy is in consonance with
relevant regulations and DPE guidelines.
Audit of  Verify whether the sanction is within the general or express
sanctions powers delegated to the sanctioning authority.
 Verify whether the criteria for sanction such as - availability of
funds, determination of physical targets, objects of
expenditure and accounting procedure- have been adhered
to.

Compliance Auditing Guidelines – C&AG of India 20 | P a g e
  Verify whether the sanction is not split to avoid obtaining
sanction of a higher authority.
 Verify whether sanction is conflicting with general principles
of public sector financial management or other orders
/instructions.
Criteria
4.9 Criteria are the benchmarks used to evaluate or measure the subject matter
consistently and reasonably. The criteria provide the basis for evaluating audit
evidence, developing audit findings and conclusions. Criteria may be formal, such as
a law or regulation, terms of a contract or agreement or less formal such as a code of
conduct, principle of propriety or they may relate to expectations regarding
behaviour. Generally, criteria for regularity audits would therefore emanate from
specific authorities while criteria for propriety issues would emanate from the
General Financial Rules of the Government of India and those codified in the
corresponding State Financial Rules.
The criteria should have the following characteristics:
a) Relevant– relevant criteria provide meaningful contributions to the
information and decision making needs of the intended users of the audit
report.
b) Reliable– reliable criteria result in reasonably consistent conclusions when
used by another auditor in the same circumstances.
c) Complete–complete criteria are those that are sufficient for the audit
purpose and do not omit relevant factors. They are meaningful and make it
possible to provide the intended users with a practical overview for their
information and decision making needs.
d) Objective – objective criteria are neutral and free from any bias on the part
of the auditor or on the part of the management of the auditable entity.
e) Understandable – understandable criteria are those that are clearly stated,
contribute to clear conclusions and are comprehensible to the intended
users.
f) Comparable – comparable criteria are consistent with those used in similar
audits of other agencies or activities and with those used in previous audits of
the entity.
g) Acceptable –acceptable criteria are those to which independent experts in
the field, auditable entities, legislature, media and the general public are
generally agreeable.
h) Available – criteria should be made available to intended users so that, they
understand the nature of audit work performed and the basis for the audit
report.

Compliance Auditing Guidelines – C&AG of India 21 | P a g e
4.10 Understanding internal controls
Understanding internal controls is normally an integral part of understanding the
entity and the relevant subject matter. The CAG’s Regulations on Audit and
Accounts, 2007 explain that the auditor should examine and evaluate the reliability
of internal controls. In compliance audit, this includes understanding and evaluating
controls that assist the executive in complying with laws and regulations applicable
to the auditable entity. The type of controls that need to be evaluated depends on
the subject matter, nature and scope of the particular compliance audit. In
evaluating internal controls, auditors assess the risk that the control structure may
not prevent or detect material non-compliance. The internal control system in an
entity may also include controls designed to correct identified instances of non-
compliance, presence and effectiveness of institutionalised mechanisms such as
Internal Financial Adviser system, Internal Audit system etc.
Auditors should obtain an understanding of the internal controls relevant to the
audit objectives and test controls on which they expect to rely. The assurance
derived from the assessment of internal controls will assist the auditors to determine
the confidence level and hence, the extent of audit procedures to perform. This
would also determine the sample size of implementing units to be selected as well as
the sample selection of transactions etc.
Materiality
4.11 Materiality consists of both quantitative and qualitative factors. Materiality is often
considered in terms of monetary value but the inherent nature or characteristics of
an item or group of items may also render a matter material. As mentioned in
Chapter 2, determining materiality is a matter of professional judgement and
depends on the auditor’s interpretation of the users’ needs. A matter can be judged
material if knowledge of it is likely to influence the decisions of the intended users.
The CAG’s Regulations on Audit and Accounts, 2007 state that in formulating audit
opinion or report, the auditor should inter-alia give due regard to the materiality of
the matter keeping in view the amount, nature and context. In performing
compliance audits, materiality is determined for
a) Planning purposes;
b) Purposes of evaluating the evidence obtained and the effects of identified
instances of non-compliance; and
c) Purposes of reporting the results of the audit work
4.12 During the planning process, information is gathered about the entity in order to
assess risk and establish materiality levels for designing audit procedures. Issues that
may be considered material even if the monetary value is not significant would
include the following:

Compliance Auditing Guidelines – C&AG of India 22 | P a g e
 a) Fraud;
b) Intentional unlawful acts or non-compliance;
c) Incorrect or incomplete information to executive, the auditor or to the
legislature (concealment);
d) Intentional disregard to the executive, authoritative bodies or auditors; and
e) Events and transactions made despite knowledge of the lack of legal basis to
carry out the particular event or transaction.
Risk assessment
4.13 Risk assessment is an essential part of performing a compliance audit. Due to the
inherent limitations of an audit, a compliance audit does not provide a guarantee or
absolute assurance that all instances of non-compliance will be detected. Inherent
limitations in a compliance audit may include factors such as:
a) Judgement may be applied by the executive in interpreting laws and
regulations;
b) Human errors;
c) Systems may be improperly designed or function ineffectively;
d) Controls may be circumvented; and
e) Evidence may be concealed or withheld
4.14 In performing compliance audits, auditors assess risks and perform audit procedures
as necessary throughout the audit process. This is done in order to reduce audit risk
to an acceptably low level in the particular circumstances, so as to obtain reasonable
assurance to form the basis for the auditor’s conclusions. The risks and the factors
that may give rise to such risks will vary depending on the particular subject matter
and circumstances of audit. Results of the risk assessment would again affect the
sampling considerations.
Risk assessment considerations with regard to fraud
4.15 As a part of audit, auditors should identify and assess fraud risk and gather sufficient
appropriate evidence related to the identified fraud risks by performing suitable
audit procedures. As mentioned in Chapter 2, while detecting fraud is not the main
objective of compliance audit, auditors should include fraud risk factors in their risk
assessments and remain alert to indications of fraud when carrying out their work. If
the auditor comes across instances of non-compliance which may be indicative of
fraud, the auditor should exercise due professional care and caution so as not to
interfere with any future legal proceedings or investigations.
4.16 Planning audit procedures
Planning audit procedures involves designing audit procedures to respond to the
identified risks of non-compliance. The exact nature, timing and extent of audit
procedures to be performed may vary widely from one audit to another.
Nonetheless, compliance audit procedures in general involve establishing the

Compliance Auditing Guidelines – C&AG of India 23 | P a g e
 relevant criteria and then measuring the relevant subject matter information against
such criteria.
4.17 After determination of the scope of audit, development of audit objectives,
identification of relevant criteria for measuring the selected subject matters, when
specifically selected for an apex auditable entity or across auditable entities, both for
regularity and propriety issues, auditors should prepare a Compliance Audit Design
Matrix for the identified apex Auditable entity in the following format.
Compliance Audit Design Matrix
Audit Audit Audit Data collection Audit evidence
objective/Sub questions on criteria and analysis
objective selected method
subject
matters

4.18 The Compliance Audit Plan would detail out the selected Apex Auditable Entity, the
selected Audit Units and the Implementing Units. However, the selection of sample
of transactions within the audit units may be necessary for detailed scrutiny. When
compliance audit is planned and conducted based on a top down and department
centric approach, sampling for selection of transactions may have to be conducted at
multiple levels. This multi stage sampling typically involves the following:
 Selection of transactions from the selected Audit Units falling directly under the
chain of command of the selected Apex Auditable Entity (either in whole or in
part depending upon the selected specific subject matter) relevant to evaluation
of the selected subject matters for regularity and propriety audits respectively;
and
 Selection of transactions from the Implementing Units, as considered necessary,
relevant to evaluation of the selected subject matters for regularity and
propriety audits respectively.
4.19 Statistical sampling may be adopted for selection of transactions, which would
enhance the level of verifiable audit assurance. Accountants General may exercise
professional judgement with regard to adoption of a suitable sampling methodology
depending upon the selected subject matters, audit objectives being pursued and
the envisaged scope of audit, as per extant instructions.
Compliance auditing in digital environment
4.20 In case of departments/ sectors where e-governance has taken roots and
transactions are being conducted in virtualised environments, digital auditing can
also be adopted by the audit teams. Digital auditing facilitates looking at whole of

Compliance Auditing Guidelines – C&AG of India 24 | P a g e
 the population for outliers or unexpected variations. Such outliers can be taken up
for detailed scrutiny. Data analytical tools can be of immense help here.
Team composition
4.21 Audit team(s) with an appropriate team composition should be constituted for each
audit. As mentioned in Chapter 2, the audit team should collectively possess the
knowledge, skills and expertise necessary to successfully complete the audit. This
includes an understanding and practical experience of the type of audit being
undertaken, familiarity with the applicable standards and authorities, an
understanding of the auditable entity’s operations and the ability and experience to
exercise professional judgement. The work allocation for each member of the audit
team should be clearly delineated and it must be ensured that each member
understands his/her role in the audit team. Appropriate arrangements should be
ensured for providing direction, supervision and review of audit teams. In some
cases, it may be possible to conduct the audit of the apex auditable entity and its
selected audit units by one dedicated team. However, in case of large entities, it may
become necessary to constitute multiple teams for audit of the apex auditable entity
and its selected audit units. In such a scenario, a lead team may be constituted from
amongst the audit teams, which should be entrusted with the responsibility of
providing a cohesive and synergised approach to compliance audit. The lead team in
such cases may also be required to provide guidance, liaison support to other teams
throughout the audit process and also consolidate audit findings of all other audit
teams to enable achieving a holistic analysis and a reasoned conclusion.
Intimation to the auditable entity
4.22 After the overall strategy and audit plan as discussed above have been drawn up
intimation should be provided to the identified auditable entity (executive) and all
other audit units down the line regarding the audit being taken up. The intimation to
the executive should include the scope of audit, audit objectives being pursued,
subject matters that have been selected, criteria that would be used to evaluate the
subject matters, designed sampling of audit units /implementing units. The
intimation should indicate the composition of audit team(s), duration and schedule
of audit and should solicit the requirements from and co-operation of the executive
for the smooth conduct of audit.

Compliance Auditing Guidelines – C&AG of India 25 | P a g e