Module 4 - Introduction to Performance Audit_4B
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>4B</strong>. Planning a <strong>Performance</strong> <strong>Audit</strong> Engagement (40%)<br />
<strong>4B</strong>. Learning Outcomes<br />
On completion of this <strong>Module</strong>, students will be better able <strong>to</strong>:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Describe the decision-making process for including performance audits in the plan of<br />
engagements.<br />
Identify appropriate subject matter for a performance audit.<br />
Create a plan for a performance audit engagement.<br />
Define performance audit objectives.<br />
Select appropriate criteria for a performance audit.<br />
Develop a suitable scope for a performance audit.<br />
Use appropriate methods for gathering evidence.<br />
<strong>4B</strong>.1 <strong>Performance</strong> <strong>Audit</strong>s in the <strong>Audit</strong> Plan<br />
The first formal step in performance auditing is identifying the need for the engagement and<br />
including it in the plan of audits. Engagements should be chosen <strong>to</strong> offer maximum added<br />
value and ensure adequate audit coverage within the confines of available resources.<br />
Fac<strong>to</strong>rs impacting the decision <strong>to</strong> plan for a performance audit may include the following<br />
features of the entity, policy, activity, project, or system under consideration:<br />
Financial significance.<br />
Public constraints.<br />
Known or alleged problems or wrongdoing.<br />
Potential for cost savings and service improvements.<br />
Financial condition – of the governing body, trust funds, etc.<br />
Visibility of the program – political sensitivity, national importance.<br />
Risk of loss, fraud, and corruption.<br />
Public welfare (health, safety, etc.)<br />
Interest of management, the legislature, and the public.<br />
Recent audit coverage. 36<br />
Two key aspects should be identified <strong>to</strong> ensure the needs of the intended users of the audit<br />
report remain at the center of the process:<br />
<br />
<br />
Subject matter.<br />
Key parties <strong>to</strong> the audit.<br />
Subject Matter<br />
ISSAIs describe the process for identifying the <strong>to</strong>pic or subject matter for a performance<br />
audit, as follows.<br />
26) Subject matter refers <strong>to</strong> the information, condition or activity that is measured or<br />
evaluated against certain criteria. It can take many forms and have different<br />
36<br />
Rauum and Morgan, <strong>Performance</strong> <strong>Audit</strong>ing: A Measurement Approach, The Internal <strong>Audit</strong><br />
Research Foundation, 2009.<br />
24
characteristics depending on the audit objective. An appropriate subject matter is<br />
identifiable and capable of consistent evaluation or measurement against the criteria,<br />
such that it can be subjected <strong>to</strong> procedures for gathering sufficient and appropriate<br />
audit evidence <strong>to</strong> support the audit opinion or conclusion. 37<br />
19) The subject matter of a performance audit need not be limited <strong>to</strong> specific<br />
programmes, entities or funds but can include activities (with their outputs, outcomes<br />
and impacts) or existing situations (including causes and consequences). Examples<br />
might be service delivery by the responsible parties or the effects of government<br />
policy and regulations on administration, stakeholders, businesses, citizens and<br />
society. The subject matter is determined by the objective and formulated in the audit<br />
questions. 38<br />
30) The subject matter relates <strong>to</strong> the question “what is audited” and is defined in the audit<br />
scope. The subject matter of a performance audit may be specific programmes,<br />
undertakings, systems, entities or funds and may comprise activities (with their<br />
outputs, outcomes and impacts) or existing situations, including causes and<br />
consequences. The audit scope is the boundary of the audit and is directly tied <strong>to</strong> the<br />
audit objectives. The audit scope defines the subject matter that the audi<strong>to</strong>r will<br />
assess and report on, the documents or records <strong>to</strong> be examined, the period<br />
reviewed, and the locations that will be included. 39<br />
Topics for performance engagements are identified in the context of the assurance<br />
provider’s planning processes. The <strong>Performance</strong> <strong>Audit</strong> ISSAI Implementation Handbook<br />
provides an example framework for identifying important <strong>to</strong>pics for performance audits,<br />
summarized below.<br />
Activity<br />
Scanning the public<br />
sec<strong>to</strong>r environment<br />
Reviewing official<br />
announcements<br />
Financial analysis<br />
Media moni<strong>to</strong>ring<br />
Description<br />
Moni<strong>to</strong>ring key issues in the public sec<strong>to</strong>r.<br />
Moni<strong>to</strong>ring official announcements and publications, including:<br />
National sustainable development goals.<br />
Resolutions by the Committee on Public Accounts or equivalent.<br />
State of the nation or parliamentary opening speeches by the<br />
head of state.<br />
Legislation and legislative proposals.<br />
National budgets and guidelines.<br />
Other public policy documents.<br />
Annual reports of audited entities.<br />
Global developments, such as themes identified by INTOSAI.<br />
Paying close attention <strong>to</strong>:<br />
Complex financial arrangements.<br />
New sources of income and expenses.<br />
Areas where spending is high or changing rapidly.<br />
Moni<strong>to</strong>ring a wide range of media <strong>to</strong> identify concerns about public<br />
37<br />
ISSAI 100 Fundamental Principles of Public Sec<strong>to</strong>r <strong>Audit</strong>ing, INTOSAI, 2019.<br />
38<br />
ISSAI 300 <strong>Performance</strong> <strong>Audit</strong> Principles, INTOSAI, 2019.<br />
39<br />
ISSAI 3000 <strong>Performance</strong> <strong>Audit</strong> Standard, INTOSAI, 2019.<br />
25
General overviews<br />
Consideration of<br />
views of citizens<br />
Liaison with other<br />
external<br />
stakeholders<br />
Internal discussions<br />
and assessments<br />
within the SAI<br />
services.<br />
Completing a general overview or survey <strong>to</strong> identify audited entity’s<br />
objectives, main activities, and the level and nature of resources<br />
used in carrying out its functions.<br />
Engaging with representatives of civil society, taking account of<br />
inclusiveness, stakeholder concerns, public interest, regula<strong>to</strong>ry<br />
requirements, and consequences for society.<br />
Building relationships with external stakeholders, subject experts,<br />
academics, and other relevant parties, including non-government<br />
organizations <strong>to</strong> leverage available research, case studies, and<br />
networks.<br />
Discussion with other audi<strong>to</strong>rs and review of previous audits,<br />
identifying trends, themes, and potential audit priorities.<br />
Framework for Strategic Planning 40<br />
Criteria for selecting <strong>to</strong>pics may be identified and scored <strong>to</strong> assist with the process of<br />
prioritization. Entity and central government priorities may be considered including the<br />
application of budgetary resources. Criteria may cover the following:<br />
Materiality.<br />
<strong>Audit</strong>ability.<br />
Possible impact.<br />
Risks <strong>to</strong> the SAI (or internal audit function).<br />
Legislative or public interest.<br />
Relevance.<br />
Timeliness.<br />
Previous audit work.<br />
Other major work planned or in progress.<br />
Requests for maintenance audits. 41<br />
The purpose of criteria is <strong>to</strong> assist the audi<strong>to</strong>r in making an evaluation of performance<br />
without reducing the assessment <strong>to</strong> a compliance check. The internal audit standards<br />
emphasize the importance of a risk-based approach, in accordance with Standard 2010 –<br />
Planning. <strong>Performance</strong> audits (like other engagements) are identified based on<br />
organizational priorities, objectives, and significant risks. The plan may be modified as<br />
circumstances change.<br />
2010 – Planning<br />
The chief audit executive must establish a risk-based plan <strong>to</strong> determine the priorities<br />
of the internal audit activity, consistent with the organization’s goals.<br />
Interpretation:<br />
To develop the risk-based plan, the chief audit executive consults with senior<br />
management and the board and obtains an understanding of the organization’s<br />
40<br />
<strong>Performance</strong> <strong>Audit</strong> ISSAI Implementation Handbook, IDI, 2021.<br />
41<br />
<strong>Performance</strong> <strong>Audit</strong> ISSAI Implementation Handbook, IDI, 2021.<br />
26
strategies, key business objectives, associated risks, and risk management<br />
processes. The chief audit executive must review and adjust the plan, as necessary,<br />
in response <strong>to</strong> changes in the organization’s business, risks, operations, programs,<br />
systems, and controls.<br />
2010.A1 The internal audit activity’s plan of engagements must be based on a<br />
documented risk assessment, undertaken at least annually. The input of senior<br />
management and the board must be considered in this process.<br />
2010.A2 The chief audit executive must identify and consider the expectations of<br />
senior management, the board, and other stakeholders for internal audit opinions and<br />
other conclusions. 42<br />
No process is going <strong>to</strong> yield a definitive answer on the <strong>to</strong>pics needed for performance audits<br />
and the final decision requires the exercise of professional judgment.<br />
Because of the differences in breadth of scope, the likely <strong>to</strong>pics of performance audits<br />
conducted by internal audi<strong>to</strong>rs differ from those of external audi<strong>to</strong>rs. Topics of performance<br />
audits conducted by internal audit functions typically focus on a single entity and its<br />
activities. Topics may include:<br />
<br />
<br />
<br />
<br />
Policy implementation at the entity level.<br />
Impact assessment of social projects implemented by the entity.<br />
IT initiatives such as upgrades, the introduction of new systems, and digital<br />
transformation.<br />
Organizational change management initiatives such as restructuring.<br />
Topics of performance audits conducted by SAIs, on the other hand, focus on government<br />
as a whole and may span subject matter that is the responsibility of multiple entities. Topics<br />
may include:<br />
Preparedness for implementation of SDGs.<br />
Effective procurement.<br />
Coordination across government.<br />
Economic outcomes.<br />
Regulation.<br />
Social outcomes.<br />
Environmental and sustainability outcomes.<br />
Gender equality.<br />
Infrastructure.<br />
Education.<br />
Health, education, and gender equality. 43<br />
The <strong>Performance</strong> <strong>Audit</strong> ISSAI Implementation Handbook describes a process for selecting a<br />
<strong>to</strong>pic as follows:<br />
42<br />
The International Professional Practices Framework, The IIA, 2016.<br />
43<br />
Taken from <strong>Performance</strong> <strong>Audit</strong> ISSAI Implementation Handbook, IDI, 2021.<br />
27
Understand interests and priorities from the ministry, legislature, government, or<br />
other stakeholders such as civil society organisations or the public.<br />
Use selection criteria <strong>to</strong> ensure audit <strong>to</strong>pics are significant, auditable, and consistent<br />
with the SAI’s mandate.<br />
Scan the audit environment by conducting risk, financial, and policy analysis.<br />
Prioritise audit <strong>to</strong>pics and determine the SAI’s highest priorities.<br />
Select a <strong>to</strong>pic for the audit team. 44<br />
Key Parties<br />
When developing the plan of audits, it is important <strong>to</strong> recognize who the key parties are, as<br />
required by the standards:<br />
25) The audi<strong>to</strong>r shall explicitly identify the intended users and the responsible parties of<br />
the audit and throughout the audit consider the implication of these roles in order <strong>to</strong><br />
conduct the audit accordingly. 45<br />
There is a tendency <strong>to</strong> focus on the end user but there are other parties <strong>to</strong> consider as well.<br />
The three parties <strong>to</strong> an internal audit assurance engagement are described in the IPPF as<br />
follows:<br />
(1) the person or group directly involved with the entity, operation, function, process,<br />
system, or other subject matter – the process owner,<br />
(2) the person or group making the assessment – the internal audi<strong>to</strong>r, and<br />
(3) the person or group using the assessment – the user. 46<br />
For internal audit, the primary users are the process owners or unit manager, senior<br />
management, and the governing body.<br />
The three parties <strong>to</strong> a public sec<strong>to</strong>r external audit are described slightly differently in ISSAI<br />
100:<br />
25) Public-sec<strong>to</strong>r audits involve at least three separate parties: the audi<strong>to</strong>r, a responsible<br />
party and intended users. The relationship between the parties should be viewed<br />
within the context of the specific constitutional arrangements for each type of audit.<br />
<br />
<br />
The audi<strong>to</strong>r: In public-sec<strong>to</strong>r auditing the role of audi<strong>to</strong>r is fulfilled by the Head of<br />
the SAI and by persons <strong>to</strong> whom the task of conducting the audits is delegated.<br />
The overall responsibility for public-sec<strong>to</strong>r auditing remains as defined by the<br />
SAI’s mandate.<br />
The responsible party: In public-sec<strong>to</strong>r auditing the relevant responsibilities are<br />
determined by constitutional or legislative arrangement. The responsible parties<br />
may be responsible for the subject matter information, for managing the subject<br />
matter or for addressing recommendations, and may be individuals or<br />
organisations.<br />
44<br />
<strong>Performance</strong> <strong>Audit</strong> ISSAI Implementation Handbook, IDI, 2021.<br />
45<br />
ISSAI 300 <strong>Performance</strong> <strong>Audit</strong> Principles, INTOSAI, 2019.<br />
46<br />
The International Professional Practices Framework, The IIA, 2016.<br />
28
Intended users: The individuals, organisations or classes thereof for whom the<br />
audi<strong>to</strong>r prepares the audit report. The intended users may be legislative or<br />
oversight bodies, those charged with governance or the general public. 47<br />
The responsible party is responsible not only for the activities being evaluated but also for<br />
supporting the audi<strong>to</strong>rs during the engagement by providing unrestricted access <strong>to</strong> the<br />
information, people, and resources needed.<br />
<strong>4B</strong>.1: Reflection<br />
Identify some recent performance audits you have been involved with or those that have<br />
been managed by your audit team.<br />
Which aspects of the planning and execution of those performance audits worked well?<br />
Which aspects were less successful or more difficult or challenging than expected?<br />
What improvements can be made <strong>to</strong> the process for planning and performing performance<br />
audits?<br />
How is the decision made <strong>to</strong> include a performance audit in the plan of engagements?<br />
How is the <strong>to</strong>pic identified? Who is involved in the decision?<br />
How are the key parties of an audit identified and their needs evaluated? Is there a formal<br />
process?<br />
<strong>4B</strong>.2 Getting Started<br />
The key steps in audit design and planning may be described as follows:<br />
Conduct pre-<br />
Study<br />
Define<br />
objectives<br />
Establish<br />
approach/<br />
methodology<br />
Formulate<br />
audit<br />
questions<br />
Select criteria<br />
Document<br />
the audit<br />
Key Steps in <strong>Performance</strong> <strong>Audit</strong> Design<br />
For internal audit planning, the IPPF provides standards relevant <strong>to</strong> every kind of audit<br />
without specific relevance <strong>to</strong> performance audits.<br />
2200 – Engagement Planning<br />
47<br />
ISSAI 100 Fundamental Principles of Public Sec<strong>to</strong>r <strong>Audit</strong>ing, INTOSAI, 2019.<br />
29
Internal audi<strong>to</strong>rs must develop and document a plan for each engagement, including the<br />
engagement’s objectives, scope, timing, and resource allocations. The plan must<br />
consider the organization’s strategies, objectives, and risks relevant <strong>to</strong> the engagement.<br />
2201 – Planning Considerations<br />
In planning the engagement, internal audi<strong>to</strong>rs must consider:<br />
<br />
<br />
<br />
<br />
The strategies and objectives of the activity being reviewed and the means by which<br />
the activity controls its performance.<br />
The significant risks <strong>to</strong> the activity’s objectives, resources, and operations and the<br />
means by which the potential impact of risk is kept <strong>to</strong> an acceptable level.<br />
The adequacy and effectiveness of the activity’s governance, risk management, and<br />
control processes compared <strong>to</strong> a relevant framework or model.<br />
The opportunities for making significant improvements <strong>to</strong> the activity’s governance,<br />
risk management, and control processes. 48<br />
For external audi<strong>to</strong>rs, ISSAI 3000/96-105 provides standards for planning performance<br />
audits and may be summarized as follows:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The plan should support quality and timely results.<br />
The audit should be considered as a project requiring “organizing, securing,<br />
managing, leading, and controlling resources <strong>to</strong> achieve specific goals.”<br />
The audi<strong>to</strong>r needs sufficient background knowledge which generally requires initial<br />
research “for building knowledge, testing various audit designs and checking whether<br />
the necessary data are available” (acquired through the pre-study).<br />
<strong>Audit</strong> responsibilities should be clearly assigned.<br />
<strong>Audit</strong> plan and procedures should be designed <strong>to</strong> gather “sufficient and appropriate<br />
evidence” based on the objectives and develop timely and relevant findings,<br />
conclusions, and recommendations.<br />
The plan and procedures should be flexible <strong>to</strong> respond <strong>to</strong> insights gained.<br />
“<strong>Performance</strong> audit is a learning process involving adaptation of methodology, as<br />
part of the audit itself.”<br />
<strong>Audit</strong> plan, procedures, objectives, and criteria should be approved by the supervisor<br />
as part of quality control. 49<br />
<strong>Performance</strong> <strong>Audit</strong> Pre-Study<br />
The pre-study is used <strong>to</strong> ensure the audi<strong>to</strong>r has sufficient information <strong>to</strong> plan and manage<br />
the engagement. Implementation Guidance 2201 – Planning Considerations suggests a<br />
survey may be useful at the planning stage of an internal audit engagement.<br />
Internal audi<strong>to</strong>rs can plan effectively for an engagement if they start with an<br />
understanding of the mission, vision, objectives, risk, risk appetite, control environment,<br />
governance structure, and risk management process of the area or process under<br />
48<br />
The International Professional Practices Framework, The IIA, 2016.<br />
49<br />
ISSAI 3000 <strong>Performance</strong> <strong>Audit</strong> Standard, INTOSAI, 2019.<br />
30
eview. A preliminary survey could be a valuable <strong>to</strong>ol <strong>to</strong> help internal audi<strong>to</strong>rs achieve a<br />
sufficient understanding of the area or process <strong>to</strong> be audited. 50<br />
The <strong>Performance</strong> <strong>Audit</strong> ISSAI Implementation Handbook provides more specific guidance<br />
with respect <strong>to</strong> information gathering for a performance audit.<br />
To determine whether conditions for a successful audit exist, you will need <strong>to</strong> build on<br />
work completed when you selected your audit <strong>to</strong>pic; that is, by collecting additional<br />
information that enables you <strong>to</strong> understand:<br />
The organisational structures, roles and functions, stakeholders, activities and<br />
processes, resources, and trends.<br />
The organisational goals.<br />
Applicable internal controls.<br />
The internal and external environmental fac<strong>to</strong>rs that affect the entities and<br />
programmes under review.<br />
The external constraints affecting the delivery of outputs and outcomes.<br />
What is working well and not working well within the entities and programmes<br />
under review.<br />
The criteria that exist or can be developed <strong>to</strong> assess performance.<br />
The extent <strong>to</strong> which the activities are inclusive of all affected parties. 51<br />
While this information may be collected continuously during the execution of the<br />
engagement, much of the information is needed at an early stage. In particular, the need is<br />
<strong>to</strong> define objectives and select scope and methodology. Potential information sources<br />
include:<br />
Legislation, legislative speeches, ministerial statements and government decisions.<br />
Strategic and corporate plans, mission statements and annual reports.<br />
Discussions with audited entity management and staff and key stakeholders.<br />
Organisation charts, internal guidelines, and operating manuals.<br />
Interviews with experts, including non-governmental.<br />
Policies, directives and plans.<br />
Previous audit reports.<br />
Reviews, evaluations and studies.<br />
<strong>Performance</strong> and accountability reports.<br />
Media coverage.<br />
Management information systems.<br />
Websites. 52<br />
<strong>4B</strong>.2: Reflection<br />
50<br />
The International Professional Practices Framework, The IIA, 2016.<br />
51<br />
<strong>Performance</strong> <strong>Audit</strong> ISSAI Implementation Handbook, IDI, 2021.<br />
52<br />
<strong>Performance</strong> <strong>Audit</strong> ISSAI Implementation Handbook, IDI, 2021.<br />
31
How does the planning process for a performance differ from planning for other types of<br />
engagements?<br />
How does your audit function conduct a pre-study for a performance engagement?<br />
Which information needed for the pre-study is readily accessible? Which information is<br />
harder <strong>to</strong> acquire?<br />
<strong>4B</strong>.3 <strong>Audit</strong> Objectives<br />
<strong>Audit</strong> objectives may be developed in conjunction with the subject matter or as a more<br />
detailed expansion of the outline <strong>to</strong>pic. The objectives state what the audit is intended <strong>to</strong><br />
accomplish.<br />
Internal audit standards for setting objectives focus on an assessment of risk as well as the<br />
potential for “significant errors, fraud, noncompliance, and other exposures.” 53 However, this<br />
does not address the specific requirements of a performance audit with the purpose of<br />
evaluating economy, effectiveness, and efficiency.<br />
Objectives serve as the basis for developing questions the audit is designed <strong>to</strong> answer.<br />
Objectives need <strong>to</strong> be clear, concise, objective, and measurable, and enable the audi<strong>to</strong>r <strong>to</strong><br />
reach an unambiguous conclusion. The objectives also serve <strong>to</strong> communicate the purpose of<br />
the audit <strong>to</strong> stakeholders.<br />
The care taken in developing objectives can make the difference between a successful and<br />
an unsuccessful audit. Each objective should be written in the form of a question (or as<br />
statements beginning “<strong>to</strong> determine…”) and contain the following key elements:<br />
Subject (i.e., the subject matter – e.g., organization, program, program component,<br />
function, or activity).<br />
<strong>Performance</strong> aspects (i.e., what management is responsible for, namely carrying<br />
out public functions efficiently, economically, effectively, ethically, and equitably,<br />
while achieving desired program objectives.)<br />
Finding elements <strong>to</strong> be addressed according <strong>to</strong> the needs of the intended user (i.e.,<br />
one or more of condition, effect of the condition, significance of the effect, and<br />
potential solution).<br />
Criteria (<strong>to</strong> include agency goals, when available, even if such goals are found <strong>to</strong> be<br />
deficient and contributing <strong>to</strong> low performance).<br />
<strong>Audit</strong> focus/approach (how the objective may be investigated). 54<br />
Objectives may be formulated in different ways. The following examples are taken from<br />
<strong>Performance</strong> <strong>Audit</strong> ISSAI Implementation Handbook:<br />
<br />
Problem-oriented approach: the objective is stated <strong>to</strong> include a short description<br />
of a known issue. For example, “<strong>to</strong> determine why the fisheries and environment<br />
department did not enforce key fisheries statutes and habitat policy.”<br />
53<br />
Standard 2210 – Engagement Objectives, The International Professional Practices<br />
Framework, The IIA, 2016.<br />
54<br />
Based on Rauum and Morgan, <strong>Performance</strong> <strong>Audit</strong>ing: A Measurement Approach, The<br />
Internal <strong>Audit</strong> Research Foundation, 2009.<br />
32
Results-oriented approach: the objective directly describes what is <strong>to</strong> be<br />
measured. For example, “<strong>to</strong> assess the extent <strong>to</strong> which officers have implemented<br />
key income tax provisions.”<br />
Systems-oriented approach: the objective focuses on what the system under<br />
review is designed <strong>to</strong> do. For example, “<strong>to</strong> assess the extent that agency systems<br />
include controls needed <strong>to</strong> moni<strong>to</strong>r how grant recipients use funds.”<br />
<strong>Audit</strong> Questions<br />
Once formulated, audit objectives are often used <strong>to</strong> develop more specific audit questions as<br />
a focus for the audit work. Guidance for creating audit questions for performance audits is<br />
included in GUID 3920 The <strong>Performance</strong> <strong>Audit</strong>ing Process (31-34). 55 This can be<br />
summarized as follows:<br />
<br />
<br />
<br />
<strong>Audit</strong> questions “stated in a neutral form” addressing the audit objectives “help define<br />
and structure the audit.”<br />
Questions should be “thematically related, complementary, not overlapping, and<br />
collectively exhaustive in addressing the audit objective(s).”<br />
In relation <strong>to</strong> a known condition or conditions, questions may be analytical,<br />
normative, or descriptive.<br />
The engagement can be considered complete when the questions are satisfac<strong>to</strong>rily<br />
answered. Further questions, however, may arise as the engagement proceeds, especially if<br />
significant changes occur in the operating during the execution of fieldwork, such as<br />
changes <strong>to</strong> relevant laws, policies, structures, and operations. Investigation will establish<br />
conditions. Root cause analysis techniques can be used <strong>to</strong> help the audi<strong>to</strong>r identify potential<br />
causes of known conditions and develop additional audit questions <strong>to</strong> be used <strong>to</strong> guide<br />
further inquiry that will establish causality in fact.<br />
It is possible <strong>to</strong> imagine a hierarchy of questions stemming from the primary question which<br />
originates from the risk analysis. Collectively the questions should be exhaustive and<br />
mutually exclusive without undue overlap or gaps, and be both relevant (i.e., derived from<br />
the risk assessment) and auditable (i.e., definitively answerable). 56<br />
<strong>4B</strong>.3: Reflection<br />
What process is followed for developing and approving audit objectives and questions for<br />
performance audits?<br />
Is there a set format or template for audit objectives and questions your audit function<br />
uses?<br />
When are objectives and questions communicated with the responsible party and how?<br />
55<br />
GUID 3920 The <strong>Performance</strong> <strong>Audit</strong>ing Process, INTOSAI, 2019.<br />
56<br />
For more guidance on developing audit objectives and questions see, for example,<br />
European Court of Audi<strong>to</strong>rs “Developing the <strong>Audit</strong> Objectives,” 2013.<br />
33
<strong>4B</strong>.4 <strong>Audit</strong> Scope<br />
It is necessary <strong>to</strong> define the scope of any engagement as it sets the boundaries for the<br />
investigative work, including the period of interest and particular activities and locations <strong>to</strong> be<br />
audited. Without a scope or in the absence of a well-defined scope, there is no clear<br />
indication of what may be considered within the engagement nor when the engagement may<br />
be regarded as complete. <strong>Audit</strong> objectives and questions <strong>to</strong> be answered help guide the<br />
audi<strong>to</strong>r in determining <strong>to</strong> what needs <strong>to</strong> be included in the scope.<br />
The scope defines the boundary of your audit and addresses such things as specific<br />
questions you intend <strong>to</strong> ask and the type of study you will complete. In particular, the<br />
audit scope defines the subject matter the audi<strong>to</strong>r will assess and report on, the<br />
documents or records <strong>to</strong> be examined, the period reviewed, and the locations that<br />
will be included. The scope is directly impacted by the audit’s objective(s) and<br />
questions. As a result, you may need <strong>to</strong> modify the scope as you collect information<br />
and become more knowledgeable about the subject of the audit. 57<br />
Engagement creep can occur when scope is poorly defined and additional work is included<br />
which is outside of the original intended purpose. While it is sometimes possible and useful<br />
<strong>to</strong> extend the engagement, such as when consulting opportunities are identified during the<br />
audit, this should be done in a formalized manner.<br />
Standard 2220 describes the requirements applicable <strong>to</strong> all internal audit engagements.<br />
The established scope must be sufficient <strong>to</strong> achieve the objectives of the<br />
engagement.<br />
2220.A1 The scope of the engagement must include consideration of relevant<br />
systems, records, personnel, and physical properties, including those under the<br />
control of third parties.<br />
2220.A2 If significant consulting opportunities arise during an assurance<br />
engagement, a specific written understanding as <strong>to</strong> the objectives, scope, respective<br />
responsibilities, and other expectations should be reached and the results of the<br />
consulting engagement communicated in accordance with consulting standards.<br />
2220.C1 In performing consulting engagements, internal audi<strong>to</strong>rs must ensure that<br />
the scope of the engagement is sufficient <strong>to</strong> address the agreed-upon objectives. If<br />
internal audi<strong>to</strong>rs develop reservations about the scope during the engagement, these<br />
reservations must be discussed with the client <strong>to</strong> determine whether <strong>to</strong> continue with<br />
the engagement.<br />
2220.C2 During consulting engagements, internal audi<strong>to</strong>rs must address controls<br />
consistent with the engagement’s objectives and be alert <strong>to</strong> significant control<br />
issues. 58<br />
57<br />
<strong>Performance</strong> <strong>Audit</strong> ISSAI Implementation Handbook, IDI, 2021.<br />
58<br />
Standard 2220 – Engagement Scope, The International Professional Practices<br />
Framework, The IIA, 2016.<br />
34
Determining scope is fundamental <strong>to</strong> audit design and much of the audit plan follows once<br />
this scope been established as illustrated below.<br />
Select strategy<br />
Select scope<br />
Select analytical methods<br />
and performance<br />
measurements (criteria)<br />
Select data <strong>to</strong> use<br />
Determine data sources<br />
and collection methods<br />
Select methods for<br />
validating data<br />
Test fieldwork plan<br />
Steps in <strong>Audit</strong> Design (based on Rauum and Morgan, 2009) 59<br />
<strong>Audit</strong> methodology and audit criteria are part of this process and are considered below.<br />
The audi<strong>to</strong>r is naturally guided and constrained by considerations such as time, cost,<br />
resources, expertise, professional standards, policies, and approved procedures. In general,<br />
the time, skill, and resources needed <strong>to</strong> complete the audit should be made available, but<br />
audi<strong>to</strong>rs must also operate efficiently.<br />
In some cases, it may be possible <strong>to</strong> test every potential element covered by the audit<br />
objectives exhaustively, but typically the frame of reference is selectively limited in terms of<br />
the timeframe (by ignoring events occurring earlier or later than a selected period) and the<br />
universe by defining a representative subset of people, activities, locations, and outputs on<br />
which <strong>to</strong> base the investigation.<br />
To help set the scope and determine what aspects of the universe <strong>to</strong> include, whether <strong>to</strong><br />
sample or investigate the entire universe, the following questions can be used.<br />
Topic Questions<br />
What? What specific questions or hypotheses are being examined?<br />
What are the key processes relevant <strong>to</strong> your audit?<br />
59<br />
Rauum and Morgan, <strong>Performance</strong> <strong>Audit</strong>ing: A Measurement Approach, The Internal <strong>Audit</strong><br />
Research Foundation, 2009.<br />
35
What is the subject matter that will be assessed and reported on?<br />
What resources are available <strong>to</strong> complete the audit?<br />
What questions, processes, and resources will not be covered?<br />
Who? Which agencies and organisations have responsibilities or perspectives<br />
relevant <strong>to</strong> the audit?<br />
Who within relevant agencies and organisations is best positioned <strong>to</strong><br />
provide appropriate and sufficient evidence <strong>to</strong> answer the audit questions?<br />
Who is responsible for assuring the reliability of information and data that<br />
are relevant <strong>to</strong> your audit?<br />
Which organisations or persons will be excluded?<br />
Where? What are the locations <strong>to</strong> be covered?<br />
Where are the documents and records that need <strong>to</strong> be examined?<br />
What locations will be excluded?<br />
When? What is the timeframe <strong>to</strong> be covered?<br />
Scope Questions 60<br />
The processes used for defining audit objectives, questions, and scope for performance<br />
audits are closely related. Clarifying one of these aspects for the audit helps <strong>to</strong> clarify the<br />
others. Often, they are developed <strong>to</strong>gether for this reason rather than as part of a distinct<br />
sequential process.<br />
<strong>4B</strong>.4: Reflection<br />
What is the process used by your audit function for defining audit objectives, questions,<br />
and scope for performance audits?<br />
To what extent are inputs from parties other than the internal audi<strong>to</strong>r involved in this<br />
process?<br />
Which aspects of defining audit objectives, questions, and scope for performance audits<br />
are the most difficult and the most important?<br />
Do experienced internal audi<strong>to</strong>rs require additional training when planning a performance<br />
audit for the first time?<br />
<strong>4B</strong>.5 Methodology<br />
Consideration of methodology forms part of the planning process and will inform how the<br />
engagement is subsequently performed. Methodology includes the techniques <strong>to</strong> be chosen<br />
for collecting and processing information (comparison, measurement, data analytics,<br />
graphical representations, etc.). Evidence is needed <strong>to</strong> support the finding elements defined<br />
in the audit objectives. The typical approach comprises the following:<br />
<br />
<br />
<br />
Define and document the criteria.<br />
Determine the condition.<br />
Establish the effect.<br />
60<br />
<strong>Performance</strong> <strong>Audit</strong> ISSAI Implementation Handbook, IDI, 2021.<br />
36
Identify cause.<br />
This is illustrated in the diagram below:<br />
Criteria<br />
Recommendation<br />
Finding<br />
Condition<br />
Effect<br />
Cause<br />
These key terms may be defined as follows:<br />
Elements of <strong>Audit</strong> Findings<br />
<br />
<br />
<br />
<br />
Criteria – what should be found from gathering and processing information about the<br />
<strong>to</strong>pic area.<br />
Condition – what was found.<br />
Effect – the consequences of the condition (likelihood and impacts of resulting risks).<br />
Cause – what gave rise <strong>to</strong> the condition discovered.<br />
Based on their analysis, audi<strong>to</strong>rs can communicate their findings <strong>to</strong> intended users.<br />
<br />
Finding – actual performance (economy, effectiveness, and efficiency) with reference<br />
<strong>to</strong> the criteria, condition, effect, and cause. Reported findings may be limited <strong>to</strong><br />
deficiency or performance below the desired level as defined by the criteria.<br />
In addition, audi<strong>to</strong>rs may also provide recommendations for addressing weaknesses and<br />
making improvements.<br />
Information gathering starts at the earliest stages of planning, including the use of any prestudy,<br />
and continues throughout the engagement. The processes described below also<br />
inform the performing stages, beginning in earnest after the planning and preparation. All<br />
data used needs <strong>to</strong> be checked for sufficiency, relevance, and reliability. Steps for confirming<br />
37
eliability may include corroboration, verification, validation, and obtaining additional<br />
information. 61<br />
There are different ways of gathering information. Substantive procedures defined by audit<br />
standards (e.g., ISA 330) 62 generally include the following:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Inspection.<br />
Observation.<br />
External confirmation.<br />
Recalculation.<br />
Reperformance.<br />
Analytical procedures (including the use of computer assisted audit <strong>to</strong>ols CAATs).<br />
Inquiry.<br />
The IDI handbook provides an alternative and broader way of considering data-gathering<br />
methods as illustrated below.<br />
Direct<br />
observations<br />
and<br />
inspection<br />
Surveys<br />
Site visits<br />
File reviews<br />
and<br />
structured<br />
observations<br />
Small group<br />
methods<br />
(e.g., focus<br />
groups)<br />
Document<br />
collection<br />
Secondary<br />
data<br />
Interview<br />
Data-<br />
Gathering<br />
Case<br />
studies<br />
Data-Gathering Methods for <strong>Performance</strong> <strong>Audit</strong>s (based on <strong>Performance</strong> <strong>Audit</strong> ISSAI<br />
Implementation Handbook) 63<br />
Regardless of the methods used, the audi<strong>to</strong>r must ensure evidence is sufficient, reliable, and<br />
relevant. Evidence gathering is considered in more detail in section 4C.1 as a major part of<br />
fieldwork.<br />
61<br />
See Rauum and Morgan, <strong>Performance</strong> <strong>Audit</strong>ing: A Measurement Approach, The Internal<br />
<strong>Audit</strong> Research Foundation, 2009.<br />
62<br />
See ISA 330, The Audi<strong>to</strong>r’s Response <strong>to</strong> Assessed Risks, IFAC, 2013.<br />
63<br />
See <strong>Performance</strong> <strong>Audit</strong> ISSAI Implementation Handbook, IDI, 2021.<br />
38
<strong>4B</strong>.5: Reflection<br />
Which data gathering methods are favored over others and why?<br />
Do you report positive findings in performance audits where conditions match or exceed<br />
the criteria?<br />
Do you routinely offer recommendations even when performance is at or above the level<br />
expected?<br />
<strong>4B</strong>.6 <strong>Audit</strong> Criteria<br />
When evaluating performance, the audi<strong>to</strong>r may focus on processes and/or results. The audit<br />
may evaluate the adequacy of:<br />
<br />
<br />
How tasks are performed.<br />
Results achieved.<br />
The purpose of audit criteria is <strong>to</strong> establish a basis of measurement of performance through<br />
a comparison of actual results with expected, desired, and/or reasonable outputs, outcomes,<br />
and impacts with plans, forecasts, benchmarks, and other standards. The criteria should<br />
enable the audi<strong>to</strong>r <strong>to</strong> reach conclusions regarding economy, effectiveness, and efficiency.<br />
55) The audit criteria represent the standards against which the audit evidence is judged.<br />
<strong>Performance</strong> audit criteria are reasonable and attainable, audit specific standards of<br />
performance against which the economy, efficiency, and effectiveness can be<br />
assessed and evaluated <strong>to</strong> determine whether performance falls short of, meets or<br />
exceeds expectations. The audit criteria are intended <strong>to</strong> give direction <strong>to</strong> the<br />
assessment (helping the audi<strong>to</strong>r <strong>to</strong> answer questions such as ‘On what grounds is it<br />
possible <strong>to</strong> assess actual performance?’ ‘What is required or expected?’ ‘What<br />
results are <strong>to</strong> be achieved – and how?’).<br />
56) In defining audit criteria, the audi<strong>to</strong>r needs <strong>to</strong> consider that the criteria are relevant,<br />
understandable, complete, reliable, and objective. These attributes can be described<br />
as follows:<br />
a) Relevant audit criteria contribute <strong>to</strong> conclusions that assist decision-making by<br />
intended users and <strong>to</strong> conclusions that answer on the audit questions.<br />
b) Understandable audit criteria are those that are clearly stated, contribute <strong>to</strong> clear<br />
conclusions and are comprehensible <strong>to</strong> the intended users. They are not subject<br />
<strong>to</strong> wide variations in interpretation.<br />
c) Complete audit criteria are those that are sufficient for the audit purpose and do<br />
not omit relevant fac<strong>to</strong>rs. They are meaningful and make it possible <strong>to</strong> provide the<br />
intended users with a practical overview for their information and decision-making<br />
needs.<br />
d) Reliable audit criteria result in reasonably consistent conclusions when used by<br />
another audi<strong>to</strong>r in the same circumstances.<br />
39
e) Objective audit criteria are free from any bias on the part of the audi<strong>to</strong>r or the<br />
audited entity.<br />
57) The audit criteria can be qualitative or quantitative and may be general or specific,<br />
focusing on what is expected, according <strong>to</strong> sound principles, scientific knowledge and<br />
best practice; or on what could be (given better conditions) or on what should be<br />
according <strong>to</strong> laws, regulations or objectives. Diverse sources, besides legislation, can<br />
be used <strong>to</strong> identify audit criteria, including regulations, standards, sound principles<br />
and best practices, performance measurement frameworks and organisational<br />
policies and procedures.<br />
58) Criteria can perform a series of important roles <strong>to</strong> assist the conduct of a<br />
performance audit, including:<br />
a) providing a basis on which procedures can be built for the collection of audit<br />
evidence;<br />
b) providing the basis for assessing the evidence, developing audit findings and<br />
reaching conclusions on the audit objectives;<br />
c) helping <strong>to</strong> add form and structure <strong>to</strong> observations;<br />
d) forming a common basis for communication within the audit team and with SAI<br />
management concerning the nature of the audit; and<br />
e) forming a basis for communication with the audited entity’s management.<br />
59) In performance auditing, the general concepts of economy, efficiency, and<br />
effectiveness need <strong>to</strong> be interpreted in relation <strong>to</strong> the subject matter, and the<br />
resulting criteria will usually vary from one audit <strong>to</strong> another. However, established<br />
criteria may also be useful for other audits of the same audited entity or for audits of<br />
entities with a similar scope.<br />
60) <strong>Audit</strong> criteria are established by the audi<strong>to</strong>r. However, they must be discussed with<br />
the audited entity (and possibly with other stakeholders) during the planning phase,<br />
or at the latest in the conducting phase of the audit. Discussing the audit criteria with<br />
the audited entity serves <strong>to</strong> ensure there is a shared and common understanding of<br />
what criteria will be used as benchmarks when evaluating the audited entity. It is<br />
therefore important <strong>to</strong> clearly define the criteria that the audited entity will be<br />
assessed against. 64<br />
Examples of performance audit criteria include:<br />
<br />
<br />
<br />
<br />
<br />
<br />
Laws and regulations applicable <strong>to</strong> the operation of the audited entities.<br />
Goals, policies and procedures established by the audited entities.<br />
Technically-developed standards or norms.<br />
Expert opinions.<br />
Procedures for a function or activity.<br />
Defined business practices.<br />
64<br />
GUID 3910 Central Concepts of <strong>Performance</strong> <strong>Audit</strong>ing, INTOSAI, 2019.<br />
40
Contracts or grant agreements.<br />
Benchmarks or performance indica<strong>to</strong>rs set by the SAI, the audited entities or other<br />
relevant entities or sec<strong>to</strong>rs.<br />
Prior periods’ performance.<br />
Criteria used in similar audits or by other SAIs. (Note: You will need <strong>to</strong> ensure these<br />
criteria are still valid.) 65<br />
Objective<br />
Understandable<br />
Reliable<br />
Testable<br />
Relevant<br />
<strong>Audit</strong><br />
criteria<br />
Complete<br />
Attributes of <strong>Audit</strong> Criteria (based on <strong>Performance</strong> <strong>Audit</strong> ISSAI Implementation Handbook) 66<br />
Benchmarks can be used as a way of gauging accomplishments in comparison with<br />
recognized good practice. They are useful for identifying poor performance and for<br />
identifying solutions and driving improvements. The adequacy of performance is considered<br />
against a set of aspirational criteria. Benchmarks may be drawn from within the entity under<br />
review or from external sources.<br />
Rauum and Morgan describe a 10-step process for using benchmarks <strong>to</strong> inform a<br />
performance audit as illustrated below.<br />
65<br />
<strong>Performance</strong> <strong>Audit</strong> ISSAI Implementation Handbook, IDI, 2021.<br />
66<br />
See <strong>Performance</strong> <strong>Audit</strong> ISSAI Implementation Handbook, IDI, 2021.<br />
41
Establish current<br />
performance:<br />
• Select audit subject<br />
• Select comparison<br />
entities or locations<br />
• Apply<br />
measurements for<br />
both subject and<br />
selected<br />
comparison<br />
(benchmark)<br />
Identify<br />
opportunities for<br />
improvement<br />
• Compare<br />
measurements of<br />
subject and<br />
benchmark<br />
• Estimate the effect<br />
• Discuss with<br />
management for<br />
possible causes<br />
Collect data on<br />
causes and<br />
solutions<br />
• Map key processes<br />
• Collect data on<br />
differences<br />
between subject<br />
and benchmark<br />
• Identify best<br />
practices and<br />
barriers<br />
• Test managementasserted<br />
causes<br />
Recommend<br />
improvements<br />
• Communicate<br />
findings and solicit<br />
comment<br />
• Identify potential<br />
solutions and make<br />
recommendations<br />
Process for Benchmarking Approach in <strong>Performance</strong> <strong>Audit</strong>s 67<br />
<strong>4B</strong>.6: Reflection<br />
What steps are followed <strong>to</strong> establish appropriate criteria for performance audits?<br />
How do these differ from similar steps for other kinds of audit engagements?<br />
What are the risks involved in selecting audit criteria and how can these be managed?<br />
67<br />
See Rauum and Morgan, <strong>Performance</strong> <strong>Audit</strong>ing: A Measurement Approach, The Internal<br />
<strong>Audit</strong> Research Foundation, 2009.<br />
42