Unrestricted access to information

A SAI’s legal framework should also give it all the tools it needs to discharge its legal duties fully within the law. If a SAI is to perform its mandate effectively, it must be able to gather the evidence it needs to reach appropriate and defensible opinions. The SAI needs to know that the entities or officials it is auditing will put no barriers in its way to access all the necessary documents and information, in whatever format they are stored, freely and quickly, and that it will be able to obtain copies of such information to use when preparing its audit reports.

Over and above documentary evidence, the SAI needs access to the appropriate officials and staff within the government or audited entity, so that it can interview them when necessary, check their understanding of the internal control systems, and verify facts collected during the audit process.

The power to access information should also extend to information not held by the audited entity. This can include, for example, bank records, tax records, or information held by officials in their personal capacity. The SAI’s powers should be expressly able to override other obligations applying to such information, for examples duties of secrecy in relation to bank or tax records, or “commercial in confidence” obligations in relation to information received from third parties.

When there is any doubt about the SAI’s mandate to audit resources or entities outside the public sector (as discussed under Principle 3), it is important to ensure that the SAI has power to obtain information held by those persons.

It is essential that the SAI’s powers are written into the legal framework, with clarity and precision. They should be capable of delegation to authorised personnel of the SAI under the oversight of the Head of SAI or other senior office holders.

Reserve powers are also necessary to address extreme situations. They should include powers to enter premises, seal documents or working spaces, and require officials or others to attend the SAI for questioning. Sanctions may also be needed, for example in the form of criminal offences for an entity or individual to wilfully obstruct the SAI or its officers in the performance of their duties – including failing to provide information within a reasonable time period.

Principle 4 also has important practical dimensions. The ISSAIs refer to the need for audit opinions to be formed on the basis of sufficient appropriate audit evidence. An audit under the ISSAIs is conducted within the context of a relationship with the entity and its personnel (including its management and those charged with its governance). Principle 4 can be enhanced by understanding the need for information in this context.

On the other hand, the SAI’s power of unrestricted access to information can in practice be threatened when officials or audited entities seek to frustrate the SAI’s attempts to gather information. This can happen in many ways, even in the context of an audit relationship as just described. They include delays in responding to requests, providing only partial responses to questions, or, at worst, denying the existence of documents which the SAI knows exist or must exist.

As well as being able to resort to the SAI’s reserve powers, these problems can be addressed through intervention by senior officials or the Head of SAI, or use of the SAI’s reporting powers to draw the Legislature’s attention to the lack of cooperation.