Auditing Standards and the Accountability of the European Court of Auditors (ECA)

External auditors, both in the private and in the public sector, provide information to citizens and other stakeholders. The quality of this information – their auditing products – relies on ‘standards’. Audits are governed by accounting standards that largely concern ‘best practices’ designed by private accountants’ associations. This raises the question of how these standards fit into the regulatory framework in which an external public auditor operates, for example administrative law. So far, little research has been published on the role of standards setting out the principles underlying the European Court of Auditors’ (ECA) approach to audits and the procedures to be employed. By describing the structure of these standards and comparing them against the EU legal framework, we argue that the ECA, which is based on constitutional law and EU law, mainly follows the private-sector financial auditing standards. Private standards are designed outside EU law: How can auditing standards determined by the private sector be better aligned with administrative law to reflect the realities of public-sector compliance auditing in the framework of the ECA? For issues more exclusively covered by public-sector auditors, such as performance audits, public-sector auditors have developed standards and guidelines themselves. This paper aims to enhance our understanding of the institutional complementarity between global private regulation (i.e. accounting and auditing standards) and public regimes (such as general principles of good administration).


Introduction
Global regulation increasingly relies on alternatives of international legislation. Whether through various guidelines, standards, or declarations produced by organized transnational networks that involve public, private, or hybrid actors, the growing informality of international law making has been a recurring subject of legal analysis. These informal outputs, processes, and actors have been described as a rise in private-sector power that produces flexible, informal, and hence more effective institutions, while the regulatory state's role is decreasing. 1 However, the lack of legitimacy and accountability accompanying these processes has arguably resulted in major problems such as financial breakdowns or human rights violations. 2 Therefore, while informal law-making brings many positives, we need to improve our understanding of how to balance them with public accountability. 3 Financial and compliance audits of the European Court of Auditors (ECA) are an example of the informality of international law making because they are governed by standards that concern the different aspects of the professionalism of auditors and their audits. These standards are developed in the context of international private-sector networks and, therefore, outside the EU's legal framework. Some of such standard-setting bodies are the International Accounting Standards Boards (IASB) and the International Federation of Accountants (IFAC). Being private-sector bodies, they differ from classical standard-setting bodies. 4 Hence, while competences of the ECA are based on the Treaty on the Functioning of the European Union (TFEU), international private bodies without legally founded decision-making powers are able to strongly influence the standards that the ECA follows. Therefore, it is necessary to answer the following question: How can audit standards determined by the private sector be better aligned to administrative law to reflect the realities of public-sector auditing in the framework of the ECA?
This article aims to improve our understanding of the institutional complementarity between transnational private regulation and public regimes. It gives an overview of the question of democratic accountability when using standards emanating from the private sector in public-sector auditing and accounting. Then, it explains the structure of auditing and accounting standards and how they fit into the ECA's legal framework accountability on one set of stakeholders at the expense of others'. 16 Therefore, accountability, effectiveness of informal law, and public interest are a matter of balancing. 17 This balancing is discussed by the authors in the context of the so-called 'output legitimacy', related to the questions of the substantive outputs of various transnational processes, including distributional consequences and profit allocation. 18 Furthermore, an ongoing study, in the field of 'global administrative law', has been exploring whether the adoption of an integrated set of common global administrative principles could make informal law-making more accountable, hence balanced. 19 Dieter Kerwer explains why balancing is important. 20 He points out that the very mechanisms that make standards work also raise serious issues of democratic accountability. The mechanisms that turn voluntary standards into influential rules, i.e. expertise and external enforcement, also make it hard for users to hold those who set these standards accountable. 21 It is hard to hold standard setters accountable because they will deny responsibility for the fact that their standards have become compulsory. 22 For the development of law, a control structure, namely judicial review, exists in order to provide accountability. However, what control structure is there for standards?
The classic problem in the search for control structures, administrative principles and balances between private and public interests is that interaction among multiple regulators and stakeholders (which have an increasingly blurred public-private nature) imply various competing interests. 23 In some sectors, the informality of international law-making has facilitated the change of the role of the state from that of 'rule-maker' that should protect its citizens, to that of 'rule-taker'. 24 This is a problem because the power imbalances in international law-making, either among states or between states and other transnational actors, too often serve the interests of a very small minority, rather than societal interests. 25 Therefore, both in theory and in practice the question remains: How should we reach a good balance? And based on what criteria? The aim of this paper is much more modest, and we do not aim to answer these normative questions. Still, this debate represents an academic context for what we have observed in the auditing practice.

Standards and accountability in the auditing sector -the public and the private sector: similarities and differences
The practical necessity of informal law-making and the problems of accountability and good governance are sector-specific. 26 This article analyses the situation in the auditing sector where the importance of standards for financial accountability and auditing has been increasing over recent years. hard lessons to learn. 28 The subsequent financial crises have shown that the prosperity of our economic life largely depends on reliable financial information and financial audits. 29 Furthermore, there is an increasing need for global comparability of financial reporting and auditing. Standardisation in this field, therefore, implies a need for global standardisation efforts. 30 We will focus on the example of the European Court of Auditors (ECA), an EU institution composed of 28 members, one from each Member State. The ECA is an independent external auditor of the EU funds. Its main task is to identify risks, provide assurance and guidance to EU policymakers on how to improve the management of EU finances, and ensure transparency in EU-related money spending. 31 The ECA is regulated in Articles 285-287 of the Treaty on the Functioning of the European Union (TFEU). Article 285 TFEU provides that 'the Court of Auditors shall carry out the Union's audit.' Article 286 TFEU enumerates the duties of the Members. Article 287 TFEU then provides for the tasks of the ECA, including that it 'shall examine the accounts of all revenue and expenditure of the Union', including 'all bodies, offices or agencies set up by the Union (…)', and also what input the ECA can use to execute its tasks, and what output it is expected to produce. 32 A unifying framework for this paper is that for both the private sector and the public sector, the overall goals of standards is to ensure good governance. Our starting point is that trust is key to the principle of good governance and the use of auditing standards is a tool towards trust. 33 In other words, assessing organisations and their executives on their financial management aims to keep them accountable towards their stakeholders. The assessment by the ECA of the Annual Activity Reports (AARs) of the European Commission (EC) is an example of this. Annual Activity Reports detail achievements, the initiatives taken, and the financial and human resources spent during the year. 34 The ECA's assessment thereby contributes to the trust that stakeholders (i.e. European citizens) have in the European Commission to adhere to certain financial management rules and reporting requirements.
The concept of good governance is useful to reveal similarities and differences between public and private auditing. In essence both in the private and in the public sector trust is expressed by money: In the private sector this takes the form of volatility in share prices and thereby shareholders' value, and in the European public sector through citizens' support for certain policy proposals via parliament's budget approval and discharge given to the European Commission. Another similarity is that financial auditing standards focus on the fair presentation of an organisation's financial situation and, to some extent, whether there has been corporate responsibility by respecting certain rules. However, despite these similarities, there are also significant differences, mainly when it comes to assessing compliance with European or national rules, regulations and organizational performance.
In the private sector, the traditional yardstick to assess a company's performance is profit and capital value. It must be admitted that in the private world corporate reporting has increased, mostly on a voluntary basis, to show organisations' support regarding a sustainable and inclusive economy and society. This has created a new reason for reporting in addition to the profit-driven incentives. 35 Private auditing, however, is still very much limited to financial audits: if involved in performance issues, auditing firms can only have an  advisory role in and for companies. Private auditing firms tend to struggle with situations where they have to provide assurance, a posteriori, on compliance and performance issues, also due to liability concerns. 36 The profit and capital context does not apply to the public sector where responsibility concerns assessing compliance of public organisations with applicable treaties, regulations, and social or other objectives. Traditionally, the main criterion is the extent to which an EU-spending programme like 'Horizon 2020', 37 for example, has driven economic growth and created jobs (i.e. has had a positive impact for the citizen). 38 Therefore, whereas private-sector performance auditing mostly measures profit in financial terms, public auditing concentrates on how money has been used and what societal profit it has generated. And to audit lump-sum funding for example: Has it been used by the beneficiary in compliance with the regulations or rules? The essence of public auditing is completely different. Public auditors' advice on performance is based on their performance audit reports, addressed to public stakeholders. To ensure a credible assessment of impact the public auditing sector has developed a broad and diversified set of performance standards. For example, the ECA has developed the Performance Audit Manual (PAM), 39 based on generally accepted principles of performance auditing, as evidenced in the International Organisation of Supreme Audit Institutions (INTOSAI) standards and guidelines for performance auditing. 40 Also regarding compliance there is a difficulty in a one-dimensional approach of 'checking' the rules. The publicly designed rules (European Parliament and European Council on a proposal of the European Commission) have three dimensions: (a) the interpretation of the rule, (b) the context in which the beneficiary works and (c) the purpose of the rule.
Despite the universal application of accounting and auditing standards in the private and the public sector, consequences of their application prove to be different for private and public auditors. For instance, financial reporting and auditing in the private sector is in fine related to the liability of the accountant or auditor. Private auditors need precise measurement guidelines. For example, measuring the size and weight of the apples and pears sold in a supermarket is important to obtain a precise idea of the quantity sold: had these been smaller, the number sold might have been larger or the other way around. The auditor needs standards and ethical codes for guidance in applying the right norms and practices, and in defining and defending his professionalism. The credibility of private-sector accountants and auditors is secondary. If an accountant is accused of misconduct he can be confronted with civil liability and in more serious cases with criminal liability, which creates the need for precise and strict rules. If his credibility is in doubt, his market position might be weakened.
On the contrary, in the public sector credibility is predominant and not civil liability. Responsibility or accountability in the public sector means looking for a balance between market principles and social objectives (e.g. the purpose of the rule or regulation). If an external auditor fails to comply with the rules of art of his profession he loses his credibility, but this as such does not cause any liability. Only in very serious cases can criminal liability be at stake. In the private sector the correctness of financial reporting and auditing is important for trust in the financial situation of the companies concerned. Indeed, while a private auditor faces liability if his audit is proved to be erroneous because of the financial impact this may have, a public auditor will most likely face no charges if his report on policy achievements appears to be wrong, unless apparent fraud is uncovered. However, he will lose the quintessential credibility that justifies its action as a democratic institution.
There are several reasons for this. The different purposes of the public and private sector (public wellbeing vs. profit) inevitably entail different management modes, procedures and products. These should not be controlled based on the same standards since the essence of their activity is fundamentally different. In the public sector, accounting and auditing are part of the learning stage of public policy-making in the 36 AFM, 'Quality change of PIE audit firms too slow', https://www.afm.nl/en/professionals/nieuws/2017/juni/kwaliteitslag-oob (last visited 11 January 2018). 37 <https://ec.europa.eu/programmes/horizon2020/> (last visited 11 january 2018 Public-sector objectives such as public welfare require different ways of evaluation for various reasons. Firstly, measuring societal impact can be challenging by contrast to measuring economic profit of a firm based on its annual balance sheet: a State could present a risky balance sheet and still be performing well regarding societal objectives (by, for example, intentionally running up a deficit to bolster growth). Secondly, a policy may have side effects and touch many different sectors which requires a broad overview in order to be adequately evaluated. Thirdly, a policy is hardly measurable solely over the time span of an accounting year: it often has short, medium and long term effects which should all be taken into account. Evaluation is key to a well-performing democracy: performance auditing enables public actors to correct, improve or strengthen their policies on the basis of their relevance to the citizen. Correctly evaluating the relevance a policy has for citizens provides the public auditor with credibility, which, in turn, provides him with the necessary authority and influence to make public actors change their policy lines or not. If this credibility is undermined, the system loses an important part of its learning process which feeds public action. If the learning process fails to integrate lessons learned from auditing results, the public sector loses its connection with the citizen and ultimately its accountability. In this case, the public sector fails to deliver on its mission. These findings are illustrated in Figure 1 below.
This difference in the consequences that the two sectors face has important implications for international public-private standard-setting in the auditing sector. Most importantly, it explains why private bodies on some occasions, particularly for financial auditing, take the lead in standard-setting, and public organisations follow. As discussed above, for private bodies the external auditing task is most often limited to reliability of assurance work or controlling whether the auditee has done what it claims to have done (i.e. often not even compliance work, let alone performance work). Furthermore, their clients, often multinational corporations (MNCs), operate globally. Hence, there is a great need for common standards on reliability, and this is why private auditors have always been at the forefront regarding standards in this area. In other words, private auditing bodies and their clients have high incentives to develop comparable assurance criteria that go beyond national borders because the playing field is global. Furthermore, the nature of their work requires that they apply very precise, detailed standards. Indeed, facing liability and the link to financial work necessarily result in high precision.
For public organisations, on the other hand, the situation is very different. The EU or states are regulatorily autonomous and subject to democratic control. First of all there is less pressure to be international, because the central issue is to assess compliance with national rules. These rules often already indicate reliability criteria, and if not it is left to the public auditor to fill in the gaps. However, in the US and the EU, reliability standards are still needed to make states comparable but also to relate to the federal/EU level. Although there is value in soft law, there are also risks that need to be addressed. 41 Auditing practices regarding guidelines or other 'soft law' whose high precision derives from the private sector may lead to higher compliance standards than required by law in public auditing. For example, the assessment of the ECA that EU spending is affected by 'error' is partly a reflection of the complex and burdensome soft law (standards and guidelines). This emphasis on efficiency and effectiveness undermines the work of professionals and the credibility of EU public financial management while, in fact, it creates a non-fit with public-sector goals and legislation. However, public auditing organisations have taken the lead in standard-setting in non-financial auditing issues, particularly regarding compliance with regulations and performance towards results. The analysis of the existing accounting standards and how these private-public dynamics function in the context of the ECA is provided in the following section.

Sources of accounting and auditing standards
The ECA not only applies its own standards but it is also directly and indirectly influenced by activities of other organisations. The ECA for instance depends on financial reporting and auditing by the Commission and beneficiaries of EU funds in the Member States (MSs). An important part of EU funds is spent in shared management by the Commission and Member States. Some programmes are based on shared finance. Furthermore, a large number of EU agencies have their own budget and EU money is also spent in publicprivate cooperation. In this context, the banking crisis and the sovereign-debt crisis (EU crisis) have led to new financial responsibilities in search of accountability, based on uniform and more precise financial reporting in Member States. The start-up of the supervisory role of the European Central Bank on banks in Member States is exemplary in this regard. In this complex structure, standards for financial reporting and auditing play a crucial role.
Accounting and auditing standards are mainly used at three levels: (1) financial reporting by companies and institutions, (2) their internal audits and (3) external audits in the private and the public sector. Standards are developed by international organisations, which are based on private law, in the accounting sector that increasingly shape global cooperation. 42 For example, global accounting standards have been designed by a private association of accountants. 43 There are many of these non-governmental organisations on both sides of the Atlantic. Standards for accounting and auditing are mostly linked to ethical codes for the profession of accountants and auditors. Organizational and institutional sources of accounting and auditing standards are demonstrated in Figure 2 below.   54 Then the question emerges of how these standards are adopted and applied.
New Public Management (NPM) provided input for the introduction of business practices in the public sector, such as introducing 'outcome measures'. The idea was that the move to managerialism within the public sector could drive changes, and drive reform. These changes should improve efficiency, effectiveness and economy. The Commissioner then responsible for Financial Programming and Budget claimed '(…) It is a profound change in management culture (…)', 55 when introducing accrual-based accounting for the European Commission in 2005. However, with this move to business approaches in the delivery of public goods, a lot of soft law is introduced. For example, governments outsourced the set-up of public highways or the management of prisons. These arrangements are based on contracts and supplemented with soft-law instruments such as codes and guidelines. Codes and guidelines function beyond the oversight of traditional administrative law. With the trend towards managerialism and emphasis on efficiency and effectiveness as the operating ethos in the public sector, 56 administrative law is under pressure.
The problem is that soft-law instruments lead to 'back door' regulation which sets higher compliance standards than those required by law. 57 In the public sector, these high standards may create inconsistencies or systematically trigger 'hits' for errors while the auditee did actually respect the legal obligation his activity was subject to. If the auditor is perceived as systematically being too strict (and imposing standards above legal thresholds) his credibility is undermined on the whole. Furthermore, the question of how and by whom the standard was set also creates a threat to Supreme Audit Institutes' credibility.

The adoption and application of standards
An important issue is how decisions on standards are made. As mentioned above, standards for financial reporting, accountability and auditing are drafted and adopted by independent international organisations based on private law. The drafting process is increasingly subject to due process, which contributes to transparency and enables interested parties to get involved in the drafting process. These standards can be characterised as informal law, without explicit legal effect. 50  The attribution of law-making power is a logical prerequisite of formal law. States and international organisations usually have legislative power. However, informal law is not enacted by a competent lawmaker, but by another kind of entity, for instance a meeting of members of an association for international cooperation to improve accountability and governance. Informal law is of increasing importance for international cooperation especially in economic and financial relations. The binding effect of informal law primarily rests on 'self-binding' by a certain group of subjects, who adopt the norms as guiding their profession. There are many forms of informal law emerging from civil society. 58 Standards on accounting and auditing are an important example. 59 However, the international organisations involved in financial standard-setting have no law-making power whatsoever. If standards are set, they become relevant and effective if the professionals of a sector adopt them. Organisations may adopt standards within their own structure. For instance, auditing firms may choose certain sets of standards as binding for their work. A government auditing body can also accept certain auditing standards for internal audits etc. The same goes for ethical standards. These are examples of self-regulation. Self-regulation may have legal consequences. If an auditing firm violates the adopted standards this may imply civil or even criminal liabilities as mentioned above. In the public sector, government administrations may lose their credibility if they do not follow the adopted standards.
Ferdinand Wollenschläger 60 examined the EU-law principles more closely, as they relate to Public Procurement and the lessons to be learnt for developing auditing principles and standards. 61 The lifecycle of standards may result in these standards evolving from informal law to soft law and finally to actual legislation.
Informal law, as explained above, has effect through 'self-regulation'. A subsequent step towards general adoption may be that a national or European legislator refers to these standards. This reference may imply that standards for accountancy and auditing become soft law.

Soft law:
In EU law -as well as in international law -the term soft law is an accepted term for a great variety of phenomena. 62 In addition to EU legislation like regulations, directives and decisions, other -non-bindinginstruments are used: communications, recommendations, guidelines and notices. Policy rules adopted by public entities to guide their daily practices and their staff are another important category of soft law. 63 A further step may be that the legislator adopts standards with the implication that standards become 'law' stricto sensu and can be applied directly by courts.
In this context, it is necessary to elaborate on the application of soft-law rules. First of all, formal EU primary law, like the treaties, and secondary law, like regulations, directives and decisions have binding effect on the basis of the hierarchy of norms within the EU, which emerges from Article 288 TFEU. 64 Soft law is not mentioned in the Lisbon Treaty as a formal source of law. Although some forms of soft law, like advice Utrecht Law Review | Volume 14 | Issue 1, 2018 and recommendations, are explicitly mentioned, they have no legally binding effect. The same goes for the policy rules the ECA has adopted for fulfilling its auditing tasks. 65 Second, soft law is subordinated to formal EU law. Soft law, like policy rules for the governance of an organisation like the ECA, has no absolute effect like formal EU law. Policy rules like the ISSAI standards and the various handbooks the ECA has introduced should be applied in the majority of cases they concern, but in individual cases it might be necessary to deviate from them. Following policy rules should never be automatic. This is particularly relevant because in daily practice auditors working at the ECA and members of the ECA have a tendency to consider the content of handbooks as 'law', which it is not.
A problem caused by this lifecycle is that in fine, standards set by bodies that have not been appointed democratically become law. Although this results from a voluntary adoption by the relevant regulatory bodies, the process of standard-setting was not initiated by a democratically legitimate body, which creates accountability issues.

The analysis of standards and their translation into ECA frameworks
In the previous section, we described how decisions on standards are made and how they may develop from informal law into formal law. This section therefore aims to provide an analysis of the application of standards for accounting and auditing in the EU: the International Financial Reporting Standards (IFRS), the International Professional Practices Framework (IPPF), the International Standards on Auditing (ISA) and the ISSAIs. Then, we will analyse how these standards fit in the ECA's legal framework. Indeed, in its role as external auditor, the European Court of Auditors (ECA) applies international auditing standards (INTOSAI (ISSAIs) and those of IFAC (ISAs)). The Treaty does not impose or prescribe a specific auditing method or approach. In its work, the ECA is bound by the provisions specified in Article 287(3) but also by the Charter of Fundamental Rights of the European Union -which contains, for example, the right, with detailed specifications, to good administration (Article 41) -and the EU Financial Regulation. However, the European Court of Auditors Financial and Compliance Manual (FCAM) only refers to Article 287. 66 This raises a series of questions and loopholes which will be brought to light in the following analysis of the standards for accounting and auditing in the EU: the IFRS, the IPPF, ISA and ISSAIs. Then, we will analyse how these standards fit in the ECA's framework.

International Financial Reporting Standards (IFRS)
Reliable internal financial reporting of companies is of increasing importance in the EU. 67 Although financial reporting is primarily important for management and stakeholders, taxation and trust of the broader public are also based on reliable financial reporting. Globalisation implies that good financial governance of companies is of increasing public interest. The International Financial Reporting Standards (IFRS) are issued by a private international organisation, the International Accounting Standards Boards (IASB), whose members adopt the standards. 68 The European Union co-finances this private body. 69 The European Financial Reporting Advisory Group (EFRAG) is a technical private-law entity 70 that advises the European Commission on all issues relating to the application of the International Financial Reporting Standards (IFRS) in the EU.
Utrecht Law Review | Volume 14 | Issue 1, 2018 EFRAG signed a working arrangement with the European Commission under which the latter provides funding. 71 EFRAG General Assembly is composed of all EFRAG Member Organisations which are private-law entities. Sound financial reporting has led the EU to adopt these standards. On the basis of EU regulations the European Commission may designate the companies and the extent to which the International Financial Reporting Standards (IFRS) are applicable. In this way a substantial part of these standards become formal EU law, which is directly applicable. 72 In the period between 2008 and 2012, 30 International Financial Reporting Standards (IFRS) standards and some interpretative notes were endorsed by the EU. 73 The EU has to endorse IFRS 'as they are' in order to be fully compliant, i.e. no changes can be made. The European Parliament can only accept or oppose. 74 Figure 3 below explains the endorsement procedure (best-case scenario). 75 Figure 3

International Professional Practices Framework (IPPF)
The Internal Audit Service of the EU 76 was established by Commission Decision on 11 April 2001 and its first Charter was adopted on 31 October 2002. The need to establish an internal auditing function is mentioned in Article 98 of the Financial Regulation, 77 and Article 115 of the Rules of Application 78 of the Financial Regulation indicates that the institution shall provide the internal auditor with a mission charter detailing his tasks, duties and obligations. The EU Commission has adopted the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing as drawn up by the Institute of Internal audits (IIA). 79 However, EU law shall prevail in case of discrepancies. In this way, the International Professional Practices Framework (IPPF), which started as informal law regulating the internal audit profession, has been transformed into soft law consisting of self-binding policy rules and an ethical code.

International Standards on Auditing (ISAs) and International Standards of Supreme Audit Institutions (ISSAIs)
At the level of external auditing, international cooperation is paramount.

The ECA and ISSAIs
The It is the responsibility of the SAI to work out these concepts and norms in practice. For the European Court of Auditors (ECA), the Treaty does not impose or prescribe a specific auditing method or approach. However, these internationally accepted standards, voluntarily followed by the European Court of Auditors, are the backbone of implementation and execution of the European Court of Auditors' mandate as defined in the Treaty. This financial governance structure implies that informal law, here the International Organisation of Supreme Audit Institutions (INTOSAI) rules, is adopted and transformed by the European Court of Auditors into soft-law policy rules guiding its actions and the auditors working in the European Court of Auditors' organisation. This means that the voluntarily accepted standards become more binding due to enforcement of the European Court of Auditors.
Not only the International Standards of Supreme Audit Institutions (ISSAIs) are relevant for the ECA's work. Some ISSAIs refer to International Standards on Auditing (ISAs). They do so regarding professionalism in the field of auditing. Second, the great variety of the EU executive organisation (Commission, agencies, Public Private Partnerships etc.) and the various forms of financial governance imply that the European Court of Auditors is confronted in its work with all kinds of financial standards, including those used by private Utrecht Law Review | Volume 14 | Issue 1, 2018 auditing firms and Supreme Audit Institutions. For example, the introduction of accrual-based accounting by the European Commission (see above Section 2.3).

Analysis of the content of ISSAIs and their relationship to the EU legal framework
The International Standards of Supreme Audit Institutions (ISSAIs) present a four-level structure with, on the one hand, precision increasing at each level and, on the other hand, legal strength decreasing at each level. This four-level structure of the International Standards of Supreme Audit Institutions (ISSAIs) implies an increasingly detailed elaboration of the Supreme Audit Institutions' work as independent external auditor. Level 4 can be considered as an auditing handbook with detailed descriptions of what may be expected from an auditor. These descriptions imply, on the one hand, a self-binding guidance of the organisation and controllable instructions for auditors working on certain audits. They also play an important role in quality control. Several International Standards of Supreme Audit Institutions (ISSAIs) are related to subsequent subjects in International Standards on Auditing (ISAs). This implies that the content of certain ISSAIs is mainly an addition to the relevant ISA, which should be applied with direct effect. For instance, ISSAIs 1700 on 'Forming an Opinion and Reporting on Financial Statements' provides an introduction to ISA 700, which should be applicable to the public sector and incorporates this ISA in the ISSAIs. The four-level structure of the International Standards of Supreme Audit Institutions (ISSAIs) -from principles to their practical elaboration -can also be analysed in a different way if we take into account the context of the ECA as an EU institution applying the ISSAIs. The first level largely corresponds to the Treatybased legal framework of the Court, which inter alia shapes the principles of independence (Article 287 TFEU). The Treaty also introduces Rules of Procedure which should be approved by the Council and are formal EU law. These Rules of Procedure stipulate that: 'The Court shall lay down detailed rules for the conduct of the audits with which it is charged by the Treaties.' This forms a legal basis for the adoption/implementation of the ISSAIs. The second level of the ISSAIs concerns general principles, which we will identify below as related to general principles of law and general rules of good procedure. The third level consists of ´common sense´ descriptions of auditing work. It is important to note that accounting and auditing largely consist of Utrecht Law Review | Volume 14 | Issue 1, 2018 common sense´ practices. There is only limited academic theory involved in the practice of accounting and auditing. 89 The fourth level concerns best practices. These findings are demonstrated in Figure 4 below.

Figure 4
This section has identified and analysed the standards of auditing and accounting and their interaction with the legal framework in which the European Court of Auditors operates. It has highlighted a series of shortfalls in the current system regarding accountability. The mechanisms through which standards are transformed into soft or hard law are questionable, for example. There is, therefore, a need for change in this area.

Conclusion: general principles of good auditing as a means to restore SAI accountability
The reliability of professional financial reporting and auditing is of increasing importance in our globalised world. They are a key element in ensuring good governance and trust in activities by both private-sector and public-sector organisations. In the private sector as well as the public sector, standards are developed by private standard-setters, which shape international cooperation of accountants and auditors. Standards are defined as best practices based on expertise.

Lessons to be drawn
Utrecht Law Review | Volume 14 | Issue 1, 2018 2. Standards for financial reporting and auditing start their lifecycle as informal law, when national or international associations promulgate them through due-process procedures. In the public sector these standards can be transformed into soft law when they are adopted by Supreme Audit Institutions and the European Court of Auditors as the EU's auditor. Voluntary standards gain significance once they are enforced by Supreme Audit Institutions. Soft law is subordinate to formal EU law, serves as policy rules for auditing organisations like the European Court of Auditors and can be deviated from if necessary and duly justified. The reporting and auditing standards that are applied cover a four-level structure: the legal framework, general principles, common sense, and best practices (Figure 3). However, some issues need further clarification. Standards for the private sector are drafted in a legal context -contract law -that is different from that in the public sector. The role of financial auditing in the private sector (liability regarding the auditor's products) does not necessarily coincide with the role of compliance auditing in the public sector (credibility, and public institutions being relevant to the positive development of the policy process (learning)). In the private sector, for example, a quantitative approach is very relevant to reducing bankruptcies, thus reducing systemic risk.
3. For the public sector a more qualitative approach, taking into account general principles of EU law (legal certainty and protection of legitimate expectations, proportionality, transparency, privacy and sound administration), is necessary to value the achievement of democratically elaborated policy priorities. A government cannot be governed by purely operation-based ethos focussing on efficiency and effectiveness. The public sector, which is based on constitutional law and EU law, mainly follows and more or less copies the private-sector standards, as far as financial auditing is concerned. For issues that are not covered by the private-sector standards such as compliance and performance audits, public-sector auditors have developed standards and guidelines. However, these standards are inspired by a focus on managerialism (new public management). For example, the 'standard' stipulating that objectives or goals formulated by politicians should be measurable. There is a risk that initially voluntary standards, due to the enforcement of Supreme Audit Institutions (SAIs), become 'soft law'. This 'back door' regulation sets higher compliance standards than those required by law or these standards make no sense for evaluating government policies. This being the case, one must ask to what extent we pay attention to the interaction between 'soft law' (enforced standards) and 'hard law' (general principles of EU law): Where are the general principles of good auditing?

How to go ahead?
This brings us to the question of what general principles of good auditing entail exactly. On the basis of the content of standards, one may identify various general principles of good auditing, such as independence and the rules of engagement of an auditor. These principles may to a certain extent be compared to general principles applied in public administration, like the general principles of good administration.

1.
A more systemic inventory and comparison of these general principles with standards might be helpful to identify the usefulness of these auditing standards for contributing to 'a learning process' in the public sector. At the European level, these principles should be drawn from the European Code of Good Administrative Behaviour. However, their precise content and the synergy they should create are a challenge for further research. People, whether in their role of citizens or of stakeholders in a company, want to work with institutions and organisations that are reliable, independent and instil the confidence that their systems work towards the goals they publicly express. External auditors need to be independent, which also means free of any conflict of interests regarding the body audited so that, as auditor, they can also be seen to be independent. Another element to create trust is assurance that external auditors conduct their compliance audits on the basis of standards that are democratically robust. Currently the decisionmaking and democratic-control process regarding the adoption of privately inspired standards for the