ISSAI 140

Quality Control for SAIs

INTOSAI Standards are issued

by the International
Organisation of Supreme Audit
Institutions, INTOSAI, as part of
the INTOSAI Framework of
Professional Pronouncements.
For more information visit
INTOSAI www.issai.org
 INTOSAI

INTOSAI, 2019
1) Formerly known as ISSAI 40
2) Endorsed in 2010
3) With the establishment of the Intosai Framework of Professional
Pronouncements (IFPP), relabeled as ISSAI 140 with editorial changes in 2019

ISSAI 140 is available in all INTOSAI official languages: Arabic, English, French,
German and Spanish
TABLE OF CONTENTS

1. INTRODUCTION 4

2. SCOPE OF ISSAI 140 5

3. OVERVIEW OF ISQC-1 7

4. WHAT IS A SYSTEM OF QUALITY CONTROL? 8

5. STRUCTURE OF ISSAI 140 10

6. FRAMEWORK FOR AN SAI’S SYSTEM OF QUALITY CONTROL 11

Element 1: Leadership responsibilities for quality

within the SAI 11

Element 2: Relevant ethical requirements 13

Element 3: Acceptance and continuance 15

Element 4: Human resources 17

Element 5: Performance of audits and other work 19

Element 6: Monitoring 21

7. INTERPRETATION OF TERMS 23
1 INTRODUCTION

The purpose of ISSAI 140 - Quality control for SAIs is to assist SAls to establish and
maintain an appropriate system of quality control which covers all of their work. This
document should help SAls design a system of quality control which is appropriate
to their mandate and circumstances and which responds to their risks to quality.

A major challenge facing all SAls is to consistently deliver high quality audits and
other work. The quality of work performed by SAls affects their reputation and
credibility, and ultimately their ability to fulfil their mandate.

For a system of quality control to be effective, it needs to be part of each SAI’s

strategy, culture, and policies and procedures as outlined in this guidance. In this way,
quality is built into the performance of the work of each SAI and the production of
the SAI’s reports, rather than being an additional process once a report is produced.

This document is an integral part of the International Standards of Supreme Audit

Institutions (ISSAIs). The principles and application guidance within this ISSAI is
intended to be used in conjunction with other ISSAIs.

Each SAI is best equipped to decide how to implement ISSAI 140 given its own
mandate and structure, its risks and the nature of work it performs.

4
2 SCOPE OF ISSAI 140

ISSAI 140 is based on the key principles in the International Standard on Quality
Control, ISQC 1’, adapted as necessary to apply to SAIs. Although ISQC-11 includes
some matters specific to public sector audit organisations and in many respects is
appropriate to SAIs, the key principles require some interpretation to enable them
to be applied by SAIs. ISSAI 140 reflects the mandate of SAIs, which is often wider
than that of a professional audit and assurance firm. ISSAI 140 provides principles
and application guidance to assist SAIs in applying the key principles of ISQC-1 to
the full range of their work, as appropriate to their mandate and circumstances.
This document outlines quality control measures that are relevant to achieving high
quality in the public sector environment.

Although the general purpose and key principles of ISSAI 140 are consistent with
ISQC-1, the requirements of this ISSAI have been adapted to ensure they are
relevant to SAIs. Therefore, the requirements are not identical to the requirements
of ISQC-1

By recognising and drawing on the key principles in ISQC-1, ISSAI 140 establishes an
overall framework for quality control in SAIs. This framework is designed to apply
to the system of quality control for all the work carried out by SAls, (i.e. financial
audits, compliance audits, performance audits and any other work carried out by
an SAI).

1 ISQC 1, Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and other Assurance
and Related Services Engagements, International Federation of Accountants (IFAC).

5
ISSAI 140 - QUALITY CONTROL FOR SAIS

ISSAI 140 focuses on the organisational aspects of audit quality operating

throughout SAIs. ISSAI 140 also provides a framework that complements other
INTOSAI pronouncements, including those for quality control at an individual
engagement level (e.g. an individual financial audit, compliance audit, performance
audit or any other work carried out by an SAI.)

Standards and guidance on quality control at an individual engagement level can be

found:
• Financial Audit; see ISSAI 2220 and ISSAI 2620 - provide requirements in
respect of quality control for financial audits.
• Performance Audit; see ISSAI 3000/79 - establishes the requirement and
GUID 3910/100-108 provides further guidance in respect of quality control
for performance audit
• Compliance Audit; see ISSAI 4000/80-88 - establishes requirements in
respect of quality control for compliance audits.

If an SAI wishes to assert that it is compliant with ISQC-1 (and with ISAs), it will
need to consider the requirements of ISQC-1. The requirements for applying ISAs are
described in the Financial Audit Standards.

ISQC-1 is available from IFAC.

Some terms used in ISQC-1 need interpreting for SAIs. These interpretations are set
out in section 7 of this document.

6
3 OVERVIEW OF ISQC-1

ISQC-1 deals with a firm’s responsibilities in relation to its system of quality control

for audits and reviews of financial statements and other assurance and related

services engagements.

ISQC-1 sets out that “the objective of the firm is to establish and maintain a system

of quality control to provide it with reasonable assurance that:

a) the firm and its personnel comply with professional standards and

applicable legal and regulatory requirements; and

b) reports issued by the firm or engagement partners, are appropriate in

the circumstances”2.

The framework in ISSAI 140 is intended to fulfil the same purpose in relation to

each SAI’s mandate and circumstances.

2 ISQC-1, para 11.

7
4 WHAT IS A SYSTEM OF
QUALITY CONTROL?

ISSAI 140 uses the elements of the quality control framework outlined in ISQC-1.
ISSAI 140 also considers the issues of particular relevance in the public sector audit
environment affecting an SAI’s system of quality control. ISQC-1 outlines the elements
of a system of quality control to be:

a) Leadership responsibilities for quality within the firm;

b) Relevant ethical requirements;

c) Acceptance and continuance of client relationships and specific

engagements;

d) Human resources;

e) Engagement performance; and

f) Monitoring.

In addition to the above elements, ISQC-1 notes the need to document the firm’s
quality control policies and procedures and communicate them to the firm’s
personnel.

The elements of a system of quality control contained in ISQC-1 are applicable to

the range of work carried out by SAls (which may be wider than the ISQC-1 term
‘engagements’). Therefore, the key principles in ISQC-1 should be considered by
SAls when designing their system of quality control.

As an overriding objective, each SAl should consider the risks to the quality of
its work and establish a system of quality control that is designed to adequately

8
ISSAI 140 - QUALITY CONTROL FOR SAIS

respond to these risks. The risks to quality will depend on the mandate and
functions of each SAI, and the conditions and environment under which it operates.
These risks may arise in many different aspects of an SAI’s work. For example, risks
to quality may arise in the application of professional judgement, the design and
implementation of policies and procedures, or in the methods used by SAls to
communicate the results of their work. Maintaining a system of quality control
requires ongoing monitoring and a commitment to continuous improvement.

9
5 STRUCTURE OF
ISSAI 140

Section 6 of ISSAI 140 is presented in the same way for each element identified in
ISQC-1 as follows:

• the key principle in ISQC-1;

• the key principle adapted for SAls;

• application guidance for SAIs.

10
6 FRAMEWORK FOR AN
SAI’S SYSTEM OF QUALITY
CONTROL

ELEMENT 1: LEADERSHIP RESPONSIBILITIES FOR QUALITY WITHIN

THE SAI

ISQC-1 Key Principle:

“The firm shall establish policies and procedures designed to promote an internal
culture recognizing that quality is essential in performing engagements. Such
policies and procedures shall require the firm’s Chief Executive Officer (or equivalent)
or, if appropriate, the firm’s managing board of partners (or equivalent) to assume
ultimate responsibility for the firm’s system of quality control”3

Key principle adapted for SAls

An SAI should establish policies and procedures designed to promote an
internal culture recognising that quality is essential in performing all of its
work. Such policies and procedures should be set by the Head of the SAI, who
retains overall responsibility for the system of quality control.

3 ISOC-1, para 18.

11
ISSAI 140 - QUALITY CONTROL FOR SAIS

APPLICATION GUIDANCE FOR SAIs

• The Head of the SAI may be an individual or a group depending on the

mandate and circumstances of the SAI.
• The Head of the SAI should take overall responsibility for the quality of all
work performed by the SAI.4
• The Head of the SAI may delegate authority for managing the SAI’s system
of quality control to a person or persons with sufficient and appropriate
experience to assume that role.
• SAls should strive to achieve a culture that recognises and rewards high
quality work throughout the SAI. To achieve that culture the Head of the SAI
should set the right “tone at the top”5 which emphasises the importance
of quality in all of the work of the SAI, including work which is contracted
out. Such a culture also depends on clear, consistent and frequent actions
from all levels of the SAI’s management that emphasise the importance
of quality.
• The strategy of each SAI should recognise an overriding requirement for
the SAI to achieve quality in all of its work so that political, economic or
other considerations do not compromise the quality of work performed.
• SAls should ensure that quality control policies and procedures are clearly
communicated to SAI personnel and to any parties contracted to carry out
work for the SAI.
• SAls should ensure that sufficient resources are available to maintain the
system of quality control within the SAI.
• The strategy of each SAI should recognise an overriding requirement for
the SAI to achieve.

4 Consistent with INTOSAI-P 20 Principles of transparency and accountability, Principle 5.

5 Tone at the Top and Audit Quality — Transnational Auditors Committee, Forum of Firms,
International Federation of Accountants (December 2007) — www.ifac.org

12
ISSAI 140 - QUALITY CONTROL FOR SAIS

ELEMENT 2: RELEVANT ETHICAL REQUIREMENTS

ISQC- 1 Key Principle:

“The firm shall establish policies and procedures designed to provide it with
reasonable assurance that the firm and its personnel comply with relevant ethical
requirements”6

Key principle adapted for SAls

An SAI should establish policies and procedures designed to provide it with
reasonable assurance that the SAI, including all personnel and any parties
contracted to carry out work for the SAI, comply with relevant ethical
requirements.

APPLICATION GUIDANCE FOR SAIs

• SAls should emphasise the importance of meeting relevant ethical

requirements in carrying out their work.
• All SAI personnel and any parties contracted to carry out work for the SAI
should demonstrate appropriate ethical behaviour.
• The Head of the SAI and senior personnel within the SAI should serve as
an example of appropriate ethical behaviour.
• The relevant ethical requirements should include any requirements set out
in the legal and regulatory framework governing the operations of the SAI.
• Ethical requirements for SAIs may include or draw on the INTOSAI ISSAI
130 - Code of Ethics and the IFAC ethical requirements, as appropriate
to its mandate and circumstances and to the circumstances of their
professional staff.
• SAls should ensure policies and procedures are in place in line with ISSAI
130, i.e.:
6 ISQC-1, para 20.

13
ISSAI 140 - QUALITY CONTROL FOR SAIS

- integrity;
- independence, objectivity and impartiality;
- professional secrecy; and
- competence.
• SAIs should ensure that any parties contracted to carry out work for the
SAI are subject to appropriate confidentiality agreements.
• SAls should consider the use of written declarations from personnel to
confirm compliance with the SAI’s ethical requirements.
• SAls should ensure policies and procedures are in place to notify the Head
of the SAI in a timely manner of breaches of ethical requirements and
enable the Head of the SAI to take appropriate action to resolve such
matters.
• SAIs should ensure appropriate policies and procedures are in place to
maintain independence of the Head of the SAI, all personnel and any
parties contracted to carry out work for the SAI.

(For more information on independence of SAls, refer to INTOSAI-P 10 Mexico

Declaration on SAl Independence and GUID 9030 Good Practices Related to SAl
Independence).
• SAIs should ensure policies and procedures are in place that reinforce the
importance of rotating key audit personnel, where relevant, to reduce
the risk of familiarity with the organisation being audited. SAls may also
consider other measures to reduce the familiarity risk.

14
ISSAI 140 - QUALITY CONTROL FOR SAIS

ELEMENT 3: ACCEPTANCE AND CONTINUANCE

ISQC-1 Key Principle:

“The firm shall establish policies and procedures for the acceptance and continuance
of client relationships and specific engagements, designed to provide the firm with
reasonable assurance that it will only undertake or continue relationships and
engagements where the firm:
a) is competent to perform the engagement and has the capabilities,
including time and resources, to do so;
b) can comply with relevant ethical requirements; and
c) has considered the integrity of the client and does not have information
that would lead it to conclude that the client lacks integrity”.7

Key principle adapted for SAIs

An SAI should establish policies and procedures designed to provide the SAI with
reasonable assurance that it will only carry out audits and other work where the SAI:

a) is competent to perform the work and has the capabilities, including time
and resources, to do so;

b) can comply with relevant ethical requirements; and

c) has considered the integrity of the organisation being audited and has
considered how to treat the risk to quality that arises.

The policies and procedures should reflect the range of work carried out by each
SAI. In many cases SAls have little discretion about the work they carry out. SAIs
carry out work in three broad categories:

• Work that is required of them by their mandate and statute and

which they have no option but to carry out;

• Work that is required by their mandate, but where they have

discretion as to the timing, scope and/or nature of work;

• Work that they can choose to carry out.

7 1500-1, para 26.

15
ISSAI 140 - QUALITY CONTROL FOR SAIS

APPLICATION GUIDANCE FOR SAIs

• For all audits and other work carried out, SAIs should establish systems to
consider the risks to quality which arise from carrying out the work. These
will vary, depending on the type of work being considered.
• SAIs normally operate with limited resources. SAIs should consider their
work programme and whether they have the resources to deliver the
range of work to the desired level of quality. To achieve this, SAIs should
have a system to prioritise their work in a way that takes into account the
need to maintain quality. If resources are not sufficient and pose a risk to
quality, the SAI should have procedures to ensure that the lack of resource
is brought to the attention of the Head of the SAI and, where appropriate,
the legislature or budgetary authority.
• SAIs should assess if a material risk to their independence exists in
accordance with INTOSAI-P 10.
• Where such a risk is identified, the SAI should determine and document
how it plans to address this risk and ensure an approval process is in place
and is adequately documented.
• Where the integrity of the audited organisation is in doubt, the SAI should
consider and address the risks arising from the capability of staff, the
level of resources, and any ethical issues which might arise in the audited
organisation.
• SAls should consider procedures for acceptance and continuance of
discretionary work, including work which is contracted out. If the SAl
decides to carry out the work, the SAl should ensure the decision is
approved at the appropriate level within the SAI, and that the risks involved
are assessed and managed.
• SAls should ensure that their risk management procedures are adequate
to mitigate the risks of carrying out the work. The response to the risks
may include:
- carefully scoping the work to be performed;
- assigning more senior/experienced staff than would ordinarily be the
case; and

16
ISSAI 140 - QUALITY CONTROL FOR SAIS

- doing a more in depth engagement quality control review of the work

before a report is issued.
• SAls should consider disclosing in their reports any specific matters that
would ordinarily have led the SAl to not accept the audit or other work.

ELEMENT 4: HUMAN RESOURCES

ISQC-1 Key Principle:

“The firm shall establish policies and procedures designed to provide it with
reasonable assurance that it has sufficient personnel with the competence,
capabilities and commitment to ethical principles necessary to:

a) perform engagements in accordance with professional standards and

applicable legal and regulatory requirements; and

b) enable the firm or engagement partners to issue reports that are

appropriate in the circumstances”.8

APPLICATION GUIDANCE FOR SAIs

• SAls may draw on a number of different sources to ensure they have the
necessary skills and expertise to carry out the range of their work, whether
carried out by SAI personnel or contracted out.
• SAls should ensure that responsibility is clearly assigned for all work
carried out by the SAI.
• SAls should ensure that personnel, and parties contracted to carry out
work for the SAI (e.g. from chartered accountancy or consulting firms),
have the collective competencies required to carry out the work.
• SAls should recognise that in certain circumstances personnel and, where
relevant, any parties contracted to carry out work for the SAI, may have
personal obligations to comply with the requirements of professional
bodies in addition to the SAI’s requirements.

8 ISQC-1, pars 29

17
ISSAI 140 - QUALITY CONTROL FOR SAIS

• SAls should ensure that Human Resources policies and procedures give
appropriate emphasis to quality and commitment to the SAI’s ethical
principles. Such policies and procedures related to human resources include:
- recruitment (and the qualifications of recruited staff);
- performance evaluation;
- professional development;
- capabilities (including sufficient time to perform assignments to the
required quality standard);
- competence (including both ethical and technical competence);
- career development;
- promotion;
- compensation; and
- the estimation of personnel needs.
• SAls should promote learning and training for all staff to encourage their
professional development and to help ensure that personnel are trained
in current developments in the profession.
• SAIs should ensure that personnel and any parties contracted to carry out
work for the SAI have an appropriate understanding of the public sector
environment in which the SAI operates, and a good understanding of the
work they are required to carry out.
• SAls should ensure that quality and the SAI’s ethical principles are key
drivers of performance assessment of personnel and any parties contracted
to carry out work for the SAI.

18
ISSAI 140 - QUALITY CONTROL FOR SAIS

ELEMENT 5: PERFORMANCE OF AUDITS AND OTHER WORK

ISQC-1 Key Principle:

“The firm shall establish policies and procedures designed to provide it with reasonable
assurance that engagements are performed in accordance with professional
standards and applicable legal and regulatory requirements, and that the firm or the
engagement partner issue reports that are appropriate in the circumstances. Such
policies and procedures shall include:

a) matters relevant to promoting consistency in the quality of

engagement performance;

b) supervision responsibilities;

c) and review responsibilities”.9

APPLICATION GUIDANCE FOR SAIs

• SAIs should ensure appropriate policies, procedures and tools, such as

audit methodologies are in place for carrying out the range of work that is
the responsibility of the SAI, including work that is contracted out.10
• SAIs should establish policies and procedures that encourage high
quality and discourage or prevent low quality. This includes creating an
environment that is stimulating, encourages proper use of professional
judgement and promotes quality improvements. All work carried out
should be subject to review as a means of contributing to quality and
promoting learning and personnel development.
• Where difficult or contentious matters arise, SAIs should ensure that
appropriate resources (such as technical experts) are used to deal with
such matters.
• SAls should ensure that applicable standards are followed in all work
carried out, and if any requirement in a standard is not followed, SAls
should ensure the reasons are appropriately documented and approved.

9 1SQC-1, para 32.

10 Consistent with INTOSAI-P 20, Principle 3.

19
ISSAI 140 - QUALITY CONTROL FOR SAIS

• SAls should ensure that any differences of opinion within the SAI are
clearly documented and resolved before a report is issued by the SAI.
• SAls should ensure appropriate quality control policies and procedures are
in place (such as supervision and review responsibilities and engagement
quality control reviews) for all work carried out (including financial audits,
performance audits, and compliance audits). SAIs should recognise the
importance of engagement quality control reviews for their work and,
where an engagement quality control review is carried out, matters raised
should be satisfactorily resolved before a report is issued by the SAI.
• SAls should ensure that procedures are in place for authorising reports
to be issued. Some work of SAIs may have a high level of complexity and
importance that requires intensive quality control before a report is issued.
• If SAIs are subject to specific procedures relating to rules of evidence (such
as SAls with a judicial role), they should ensure that those procedures are
consistently followed.
• SAls should aim for timely completion of audits and all other work,
recognising that the value from the work of SAIs diminishes if the work is
not timely.
• SAls should ensure timely documentation (such as audit work papers) of
all work performed.
• SAIs should ensure that all documentation (such as audit work papers) is
the property of the SAI, regardless of whether the work has been carried
out by SAI personnel or contracted out.
• SAIs should ensure appropriate procedures are followed for verifying
findings to ensure those parties directly affected by the SAI’s work have
an opportunity to provide comments prior to the work being finalised,
regardless of whether or not a report is made publicly available by the SAI.
• SAIs should ensure that they retain all documentation for the periods
specified in laws, regulations, professional standards and guidelines.
• SAls should balance the confidentiality of documentation with the need
for transparency and accountability. SAls should establish transparent
procedures for dealing with information requests that are consistent with
legislation in their jurisdiction.

20
ISSAI 140 - QUALITY CONTROL FOR SAIS

ELEMENT 6: MONITORING

ISQC-1 Key Principle:

“The firm shall establish a monitoring process designed to provide it with reasonable
assurance that the policies and procedures relating to the system of quality control
are relevant, adequate and operating effectively. This process shall:

a) include an ongoing consideration and evaluation of the firm’s system of

quality control including, on a cyclical basis, inspection of at least one
completed engagement for each engagement partner;

b) require responsibility for the monitoring process to be assigned to a

partner or partners or other persons with sufficient and appropriate
experience and authority in the firm to assume that responsibility; and

c) require that those performing the engagement or the engagement

quality control review are not involved in inspecting the engagements”.11

Key principle adapted for SAIs

An SAI should establish a monitoring process designed to provide it with
reasonable assurance that the policies and procedures relating to the system
of quality control are relevant and adequate and are operating effectively. The
monitoring process should:

a) include an ongoing consideration and evaluation of the SAl’s system of

quality control, including a review of a sample of completed work across the
range of work carried out by the SAI;

b) require responsibility for the monitoring process to be assigned to an

individual or individuals with sufficient and appropriate experience and authority
in the SAI to assume that responsibility; and

c) require that those carrying out the review are independent (i.e. they have
not taken part in the work or any quality control review of the work.)

11 ISQC-1, para 48.

21
ISSAI 140 - QUALITY CONTROL FOR SAIS

APPLICATION GUIDANCE FOR SAIs

• SAIs should ensure that their quality control system includes independent
monitoring of the range of controls within the SAI (using personnel not
involved in carrying out the work).
• If work is contracted out, SAIs should seek confirmation that the contracted
firms have effective systems of quality control in place.
• SAls should ensure the results of the monitoring of the system of quality
control are reported to the Head of the SAI in a timely manner, to enable
the Head of the SAI to take appropriate action.
• Where appropriate, SAIs should consider engaging another SAI, or other
suitable body, to carry out an independent review of the overall system of
quality control (such as a peer review).12
• Where appropriate, SAls may consider other means of monitoring the
quality of their work, which may include, but not be limited to:
- independent academic review;
- stakeholder surveys;
- follow-up reviews of recommendations; or
- feedback from audited organisations (e.g. client surveys).
• SAls should have procedures for dealing with complaints or allegations
about the quality of work performed by the SAI.
• SAls should consider whether there are any legislative or other
requirements to make monitoring reports public or to respond to public
complaints or allegations related to the work carried out by the SAI.13

12 Consistent with INTOSAI-P 20, Principle 9.

13 Consistent with ISSAI 130 , para 11.

22
7 INTERPRETATION OF
TERMS

If an SAI wishes to assert that it is compliant with ISQC-1 (and with ISAs), it will need

to consider the requirements of ISQC-1 . ISQC-1 includes definitions of a number of

different terms. In applying ISSAI 140, the following terms used in ISQC-1 may be

understood as follows:

The term ‘firm’ refers to the SAI as a whole. Where the

Head of the SAI appoints an employee, a chartered
accountant or auditing partnership, or other suitably
qualified person to carry out audits or other work, the
‘Firm’
‘firm’ refers to the combination of the Head of the SAI,
the person appointed to carry out the audits or other
work and, if applicable, the firm of which the person
appointed is a partner, member or employee

The term ‘engagement’ refers to the work carried out

in exercising the functions of the SAI (for example, a
‘Engagement’
financial audit under the relevant jurisdiction of each
SAI.

23
ISSAI 140 - QUALITY CONTROL FOR SAIS

The term ‘engagement partner’ refers to the employee,

chartered accountant or other suitably qualified
‘Engagement person who is responsible for the work, and for the
partner’ report that is issued on behalf of the Head of the SAI,
in accordance with the policies and procedures of the
SAI

The term ‘client’ refers to the public entity or entities

‘Client’ subject to audit or other work by the SAI (e.g. the
audited organisation).

The guidance provided throughout this ISSAI is consistent with these terms.

24