Module 4 - Introduction to Performance Audit_4B

4B. Planning a Performance Audit Engagement (40%) 

4B. Learning Outcomes 

On completion of this Module, students will be better able to: 

 

 

 

 

 

 

 

Describe the decision-making process for including performance audits in the plan of 

engagements. 

Identify appropriate subject matter for a performance audit. 

Create a plan for a performance audit engagement. 

Define performance audit objectives. 

Select appropriate criteria for a performance audit. 

Develop a suitable scope for a performance audit. 

Use appropriate methods for gathering evidence. 

4B.1 Performance Audits in the Audit Plan 

The first formal step in performance auditing is identifying the need for the engagement and 

including it in the plan of audits. Engagements should be chosen to offer maximum added 

value and ensure adequate audit coverage within the confines of available resources. 

Factors impacting the decision to plan for a performance audit may include the following 

features of the entity, policy, activity, project, or system under consideration: 

Financial significance. 

Public constraints. 

Known or alleged problems or wrongdoing. 

Potential for cost savings and service improvements. 

Financial condition – of the governing body, trust funds, etc. 

Visibility of the program – political sensitivity, national importance. 

Risk of loss, fraud, and corruption. 

Public welfare (health, safety, etc.) 

Interest of management, the legislature, and the public. 

Recent audit coverage. 36 

Two key aspects should be identified to ensure the needs of the intended users of the audit 

report remain at the center of the process: 

 

 

Subject matter. 

Key parties to the audit. 

Subject Matter 

ISSAIs describe the process for identifying the topic or subject matter for a performance 

audit, as follows. 

26) Subject matter refers to the information, condition or activity that is measured or 

evaluated against certain criteria. It can take many forms and have different 

36 

Rauum and Morgan, Performance Auditing: A Measurement Approach, The Internal Audit 

Research Foundation, 2009. 

24

characteristics depending on the audit objective. An appropriate subject matter is 

identifiable and capable of consistent evaluation or measurement against the criteria, 

such that it can be subjected to procedures for gathering sufficient and appropriate 

audit evidence to support the audit opinion or conclusion. 37 

19) The subject matter of a performance audit need not be limited to specific 

programmes, entities or funds but can include activities (with their outputs, outcomes 

and impacts) or existing situations (including causes and consequences). Examples 

might be service delivery by the responsible parties or the effects of government 

policy and regulations on administration, stakeholders, businesses, citizens and 

society. The subject matter is determined by the objective and formulated in the audit 

questions. 38 

30) The subject matter relates to the question “what is audited” and is defined in the audit 

scope. The subject matter of a performance audit may be specific programmes, 

undertakings, systems, entities or funds and may comprise activities (with their 

outputs, outcomes and impacts) or existing situations, including causes and 

consequences. The audit scope is the boundary of the audit and is directly tied to the 

audit objectives. The audit scope defines the subject matter that the auditor will 

assess and report on, the documents or records to be examined, the period 

reviewed, and the locations that will be included. 39 

Topics for performance engagements are identified in the context of the assurance 

provider’s planning processes. The Performance Audit ISSAI Implementation Handbook 

provides an example framework for identifying important topics for performance audits, 

summarized below. 

Activity 

Scanning the public 

sector environment 

Reviewing official 

announcements 

Financial analysis 

Media monitoring 

Description 

Monitoring key issues in the public sector. 

Monitoring official announcements and publications, including: 

National sustainable development goals. 

Resolutions by the Committee on Public Accounts or equivalent. 

State of the nation or parliamentary opening speeches by the 

head of state. 

Legislation and legislative proposals. 

National budgets and guidelines. 

Other public policy documents. 

Annual reports of audited entities. 

Global developments, such as themes identified by INTOSAI. 

Paying close attention to: 

Complex financial arrangements. 

New sources of income and expenses. 

Areas where spending is high or changing rapidly. 

Monitoring a wide range of media to identify concerns about public 

37 

ISSAI 100 Fundamental Principles of Public Sector Auditing, INTOSAI, 2019. 

38 

ISSAI 300 Performance Audit Principles, INTOSAI, 2019. 

39 

ISSAI 3000 Performance Audit Standard, INTOSAI, 2019. 

25

General overviews 

Consideration of 

views of citizens 

Liaison with other 

external 

stakeholders 

Internal discussions 

and assessments 

within the SAI 

services. 

Completing a general overview or survey to identify audited entity’s 

objectives, main activities, and the level and nature of resources 

used in carrying out its functions. 

Engaging with representatives of civil society, taking account of 

inclusiveness, stakeholder concerns, public interest, regulatory 

requirements, and consequences for society. 

Building relationships with external stakeholders, subject experts, 

academics, and other relevant parties, including non-government 

organizations to leverage available research, case studies, and 

networks. 

Discussion with other auditors and review of previous audits, 

identifying trends, themes, and potential audit priorities. 

Framework for Strategic Planning 40 

Criteria for selecting topics may be identified and scored to assist with the process of 

prioritization. Entity and central government priorities may be considered including the 

application of budgetary resources. Criteria may cover the following: 

Materiality. 

Auditability. 

Possible impact. 

Risks to the SAI (or internal audit function). 

Legislative or public interest. 

Relevance. 

Timeliness. 

Previous audit work. 

Other major work planned or in progress. 

Requests for maintenance audits. 41 

The purpose of criteria is to assist the auditor in making an evaluation of performance 

without reducing the assessment to a compliance check. The internal audit standards 

emphasize the importance of a risk-based approach, in accordance with Standard 2010 – 

Planning. Performance audits (like other engagements) are identified based on 

organizational priorities, objectives, and significant risks. The plan may be modified as 

circumstances change. 

2010 – Planning 

The chief audit executive must establish a risk-based plan to determine the priorities 

of the internal audit activity, consistent with the organization’s goals. 

Interpretation: 

To develop the risk-based plan, the chief audit executive consults with senior 

management and the board and obtains an understanding of the organization’s 

40 

Performance Audit ISSAI Implementation Handbook, IDI, 2021. 

41 


26

strategies, key business objectives, associated risks, and risk management 

processes. The chief audit executive must review and adjust the plan, as necessary, 

in response to changes in the organization’s business, risks, operations, programs, 

systems, and controls. 

2010.A1 The internal audit activity’s plan of engagements must be based on a 

documented risk assessment, undertaken at least annually. The input of senior 

management and the board must be considered in this process. 

2010.A2 The chief audit executive must identify and consider the expectations of 

senior management, the board, and other stakeholders for internal audit opinions and 

other conclusions. 42 

No process is going to yield a definitive answer on the topics needed for performance audits 

and the final decision requires the exercise of professional judgment. 

Because of the differences in breadth of scope, the likely topics of performance audits 

conducted by internal auditors differ from those of external auditors. Topics of performance 

audits conducted by internal audit functions typically focus on a single entity and its 

activities. Topics may include: 

 

 

 

 

Policy implementation at the entity level. 

Impact assessment of social projects implemented by the entity. 

IT initiatives such as upgrades, the introduction of new systems, and digital 

transformation. 

Organizational change management initiatives such as restructuring. 

Topics of performance audits conducted by SAIs, on the other hand, focus on government 

as a whole and may span subject matter that is the responsibility of multiple entities. Topics 

may include: 

Preparedness for implementation of SDGs. 

Effective procurement. 

Coordination across government. 

Economic outcomes. 

Regulation. 

Social outcomes. 

Environmental and sustainability outcomes. 

Gender equality. 

Infrastructure. 

Education. 

Health, education, and gender equality. 43 

The Performance Audit ISSAI Implementation Handbook describes a process for selecting a 

topic as follows: 

42 

The International Professional Practices Framework, The IIA, 2016. 

43 

Taken from Performance Audit ISSAI Implementation Handbook, IDI, 2021. 

27

Understand interests and priorities from the ministry, legislature, government, or 

other stakeholders such as civil society organisations or the public. 

Use selection criteria to ensure audit topics are significant, auditable, and consistent 

with the SAI’s mandate. 

Scan the audit environment by conducting risk, financial, and policy analysis. 

Prioritise audit topics and determine the SAI’s highest priorities. 

Select a topic for the audit team. 44 

Key Parties 

When developing the plan of audits, it is important to recognize who the key parties are, as 

required by the standards: 

25) The auditor shall explicitly identify the intended users and the responsible parties of 

the audit and throughout the audit consider the implication of these roles in order to 

conduct the audit accordingly. 45 

There is a tendency to focus on the end user but there are other parties to consider as well. 

The three parties to an internal audit assurance engagement are described in the IPPF as 

follows: 

(1) the person or group directly involved with the entity, operation, function, process, 

system, or other subject matter – the process owner, 

(2) the person or group making the assessment – the internal auditor, and 

(3) the person or group using the assessment – the user. 46 

For internal audit, the primary users are the process owners or unit manager, senior 

management, and the governing body. 

The three parties to a public sector external audit are described slightly differently in ISSAI 

100: 

25) Public-sector audits involve at least three separate parties: the auditor, a responsible 

party and intended users. The relationship between the parties should be viewed 

within the context of the specific constitutional arrangements for each type of audit. 

 

 

The auditor: In public-sector auditing the role of auditor is fulfilled by the Head of 

the SAI and by persons to whom the task of conducting the audits is delegated. 

The overall responsibility for public-sector auditing remains as defined by the 

SAI’s mandate. 

The responsible party: In public-sector auditing the relevant responsibilities are 

determined by constitutional or legislative arrangement. The responsible parties 

may be responsible for the subject matter information, for managing the subject 

matter or for addressing recommendations, and may be individuals or 

organisations. 

44 


45 

ISSAI 300 Performance Audit Principles, INTOSAI, 2019. 

46 


28

Intended users: The individuals, organisations or classes thereof for whom the 

auditor prepares the audit report. The intended users may be legislative or 

oversight bodies, those charged with governance or the general public. 47 

The responsible party is responsible not only for the activities being evaluated but also for 

supporting the auditors during the engagement by providing unrestricted access to the 

information, people, and resources needed. 

4B.1: Reflection 

Identify some recent performance audits you have been involved with or those that have 

been managed by your audit team. 

Which aspects of the planning and execution of those performance audits worked well? 

Which aspects were less successful or more difficult or challenging than expected? 

What improvements can be made to the process for planning and performing performance 

audits? 

How is the decision made to include a performance audit in the plan of engagements? 

How is the topic identified? Who is involved in the decision? 

How are the key parties of an audit identified and their needs evaluated? Is there a formal 

process? 

4B.2 Getting Started 

The key steps in audit design and planning may be described as follows: 

Conduct pre- 

Study 

Define 

objectives 

Establish 

approach/ 

methodology 

Formulate 

audit 

questions 

Select criteria 

Document 

the audit 

Key Steps in Performance Audit Design 

For internal audit planning, the IPPF provides standards relevant to every kind of audit 

without specific relevance to performance audits. 

2200 – Engagement Planning 

47 

ISSAI 100 Fundamental Principles of Public Sector Auditing, INTOSAI, 2019. 

29

Internal auditors must develop and document a plan for each engagement, including the 

engagement’s objectives, scope, timing, and resource allocations. The plan must 

consider the organization’s strategies, objectives, and risks relevant to the engagement. 

2201 – Planning Considerations 

In planning the engagement, internal auditors must consider: 

 

 

 

 

The strategies and objectives of the activity being reviewed and the means by which 

the activity controls its performance. 

The significant risks to the activity’s objectives, resources, and operations and the 

means by which the potential impact of risk is kept to an acceptable level. 

The adequacy and effectiveness of the activity’s governance, risk management, and 

control processes compared to a relevant framework or model. 

The opportunities for making significant improvements to the activity’s governance, 

risk management, and control processes. 48 

For external auditors, ISSAI 3000/96-105 provides standards for planning performance 

audits and may be summarized as follows: 

 

 

 

 

 

 

 

The plan should support quality and timely results. 

The audit should be considered as a project requiring “organizing, securing, 

managing, leading, and controlling resources to achieve specific goals.” 

The auditor needs sufficient background knowledge which generally requires initial 

research “for building knowledge, testing various audit designs and checking whether 

the necessary data are available” (acquired through the pre-study). 

Audit responsibilities should be clearly assigned. 

Audit plan and procedures should be designed to gather “sufficient and appropriate 

evidence” based on the objectives and develop timely and relevant findings, 

conclusions, and recommendations. 

The plan and procedures should be flexible to respond to insights gained. 

“Performance audit is a learning process involving adaptation of methodology, as 

part of the audit itself.” 

Audit plan, procedures, objectives, and criteria should be approved by the supervisor 

as part of quality control. 49 

Performance Audit Pre-Study 

The pre-study is used to ensure the auditor has sufficient information to plan and manage 

the engagement. Implementation Guidance 2201 – Planning Considerations suggests a 

survey may be useful at the planning stage of an internal audit engagement. 

Internal auditors can plan effectively for an engagement if they start with an 

understanding of the mission, vision, objectives, risk, risk appetite, control environment, 

governance structure, and risk management process of the area or process under 

48 


49 

ISSAI 3000 Performance Audit Standard, INTOSAI, 2019. 

30

eview. A preliminary survey could be a valuable tool to help internal auditors achieve a 

sufficient understanding of the area or process to be audited. 50 

The Performance Audit ISSAI Implementation Handbook provides more specific guidance 

with respect to information gathering for a performance audit. 

To determine whether conditions for a successful audit exist, you will need to build on 

work completed when you selected your audit topic; that is, by collecting additional 

information that enables you to understand: 

The organisational structures, roles and functions, stakeholders, activities and 

processes, resources, and trends. 

The organisational goals. 

Applicable internal controls. 

The internal and external environmental factors that affect the entities and 

programmes under review. 

The external constraints affecting the delivery of outputs and outcomes. 

What is working well and not working well within the entities and programmes 

under review. 

The criteria that exist or can be developed to assess performance. 

The extent to which the activities are inclusive of all affected parties. 51 

While this information may be collected continuously during the execution of the 

engagement, much of the information is needed at an early stage. In particular, the need is 

to define objectives and select scope and methodology. Potential information sources 

include: 

Legislation, legislative speeches, ministerial statements and government decisions. 

Strategic and corporate plans, mission statements and annual reports. 

Discussions with audited entity management and staff and key stakeholders. 

Organisation charts, internal guidelines, and operating manuals. 

Interviews with experts, including non-governmental. 

Policies, directives and plans. 

Previous audit reports. 

Reviews, evaluations and studies. 

Performance and accountability reports. 

Media coverage. 

Management information systems. 

Websites. 52 


50 


51 


52 


31

How does the planning process for a performance differ from planning for other types of 

engagements? 

How does your audit function conduct a pre-study for a performance engagement? 

Which information needed for the pre-study is readily accessible? Which information is 

harder to acquire? 

4B.3 Audit Objectives 

Audit objectives may be developed in conjunction with the subject matter or as a more 

detailed expansion of the outline topic. The objectives state what the audit is intended to 

accomplish. 

Internal audit standards for setting objectives focus on an assessment of risk as well as the 

potential for “significant errors, fraud, noncompliance, and other exposures.” 53 However, this 

does not address the specific requirements of a performance audit with the purpose of 

evaluating economy, effectiveness, and efficiency. 

Objectives serve as the basis for developing questions the audit is designed to answer. 

Objectives need to be clear, concise, objective, and measurable, and enable the auditor to 

reach an unambiguous conclusion. The objectives also serve to communicate the purpose of 

the audit to stakeholders. 

The care taken in developing objectives can make the difference between a successful and 

an unsuccessful audit. Each objective should be written in the form of a question (or as 

statements beginning “to determine…”) and contain the following key elements: 

Subject (i.e., the subject matter – e.g., organization, program, program component, 

function, or activity). 

Performance aspects (i.e., what management is responsible for, namely carrying 

out public functions efficiently, economically, effectively, ethically, and equitably, 

while achieving desired program objectives.) 

Finding elements to be addressed according to the needs of the intended user (i.e., 

one or more of condition, effect of the condition, significance of the effect, and 

potential solution). 

Criteria (to include agency goals, when available, even if such goals are found to be 

deficient and contributing to low performance). 

Audit focus/approach (how the objective may be investigated). 54 

Objectives may be formulated in different ways. The following examples are taken from 

Performance Audit ISSAI Implementation Handbook: 

 

Problem-oriented approach: the objective is stated to include a short description 

of a known issue. For example, “to determine why the fisheries and environment 

department did not enforce key fisheries statutes and habitat policy.” 

53 

Standard 2210 – Engagement Objectives, The International Professional Practices 

Framework, The IIA, 2016. 

54 

Based on Rauum and Morgan, Performance Auditing: A Measurement Approach, The 

Internal Audit Research Foundation, 2009. 

32

Results-oriented approach: the objective directly describes what is to be 

measured. For example, “to assess the extent to which officers have implemented 

key income tax provisions.” 

Systems-oriented approach: the objective focuses on what the system under 

review is designed to do. For example, “to assess the extent that agency systems 

include controls needed to monitor how grant recipients use funds.” 

Audit Questions 

Once formulated, audit objectives are often used to develop more specific audit questions as 

a focus for the audit work. Guidance for creating audit questions for performance audits is 

included in GUID 3920 The Performance Auditing Process (31-34). 55 This can be 

summarized as follows: 

 

 

 

Audit questions “stated in a neutral form” addressing the audit objectives “help define 

and structure the audit.” 

Questions should be “thematically related, complementary, not overlapping, and 

collectively exhaustive in addressing the audit objective(s).” 

In relation to a known condition or conditions, questions may be analytical, 

normative, or descriptive. 

The engagement can be considered complete when the questions are satisfactorily 

answered. Further questions, however, may arise as the engagement proceeds, especially if 

significant changes occur in the operating during the execution of fieldwork, such as 

changes to relevant laws, policies, structures, and operations. Investigation will establish 

conditions. Root cause analysis techniques can be used to help the auditor identify potential 

causes of known conditions and develop additional audit questions to be used to guide 

further inquiry that will establish causality in fact. 

It is possible to imagine a hierarchy of questions stemming from the primary question which 

originates from the risk analysis. Collectively the questions should be exhaustive and 

mutually exclusive without undue overlap or gaps, and be both relevant (i.e., derived from 

the risk assessment) and auditable (i.e., definitively answerable). 56 


What process is followed for developing and approving audit objectives and questions for 

performance audits? 

Is there a set format or template for audit objectives and questions your audit function 

uses? 

When are objectives and questions communicated with the responsible party and how? 

55 

GUID 3920 The Performance Auditing Process, INTOSAI, 2019. 

56 

For more guidance on developing audit objectives and questions see, for example, 

European Court of Auditors “Developing the Audit Objectives,” 2013. 

33

4B.4 Audit Scope 

It is necessary to define the scope of any engagement as it sets the boundaries for the 

investigative work, including the period of interest and particular activities and locations to be 

audited. Without a scope or in the absence of a well-defined scope, there is no clear 

indication of what may be considered within the engagement nor when the engagement may 

be regarded as complete. Audit objectives and questions to be answered help guide the 

auditor in determining to what needs to be included in the scope. 

The scope defines the boundary of your audit and addresses such things as specific 

questions you intend to ask and the type of study you will complete. In particular, the 

audit scope defines the subject matter the auditor will assess and report on, the 

documents or records to be examined, the period reviewed, and the locations that 

will be included. The scope is directly impacted by the audit’s objective(s) and 

questions. As a result, you may need to modify the scope as you collect information 

and become more knowledgeable about the subject of the audit. 57 

Engagement creep can occur when scope is poorly defined and additional work is included 

which is outside of the original intended purpose. While it is sometimes possible and useful 

to extend the engagement, such as when consulting opportunities are identified during the 

audit, this should be done in a formalized manner. 

Standard 2220 describes the requirements applicable to all internal audit engagements. 

The established scope must be sufficient to achieve the objectives of the 

engagement. 

2220.A1 The scope of the engagement must include consideration of relevant 

systems, records, personnel, and physical properties, including those under the 

control of third parties. 

2220.A2 If significant consulting opportunities arise during an assurance 

engagement, a specific written understanding as to the objectives, scope, respective 

responsibilities, and other expectations should be reached and the results of the 

consulting engagement communicated in accordance with consulting standards. 

2220.C1 In performing consulting engagements, internal auditors must ensure that 

the scope of the engagement is sufficient to address the agreed-upon objectives. If 

internal auditors develop reservations about the scope during the engagement, these 

reservations must be discussed with the client to determine whether to continue with 

the engagement. 

2220.C2 During consulting engagements, internal auditors must address controls 

consistent with the engagement’s objectives and be alert to significant control 

issues. 58 

57 


58 

Standard 2220 – Engagement Scope, The International Professional Practices 

Framework, The IIA, 2016. 

34

Determining scope is fundamental to audit design and much of the audit plan follows once 

this scope been established as illustrated below. 

Select strategy 

Select scope 

Select analytical methods 

and performance 

measurements (criteria) 

Select data to use 

Determine data sources 

and collection methods 

Select methods for 

validating data 

Test fieldwork plan 

Steps in Audit Design (based on Rauum and Morgan, 2009) 59 

Audit methodology and audit criteria are part of this process and are considered below. 

The auditor is naturally guided and constrained by considerations such as time, cost, 

resources, expertise, professional standards, policies, and approved procedures. In general, 

the time, skill, and resources needed to complete the audit should be made available, but 

auditors must also operate efficiently. 

In some cases, it may be possible to test every potential element covered by the audit 

objectives exhaustively, but typically the frame of reference is selectively limited in terms of 

the timeframe (by ignoring events occurring earlier or later than a selected period) and the 

universe by defining a representative subset of people, activities, locations, and outputs on 

which to base the investigation. 

To help set the scope and determine what aspects of the universe to include, whether to 

sample or investigate the entire universe, the following questions can be used. 

Topic Questions 

What? What specific questions or hypotheses are being examined? 

What are the key processes relevant to your audit? 

59 

Rauum and Morgan, Performance Auditing: A Measurement Approach, The Internal Audit 

Research Foundation, 2009. 

35

What is the subject matter that will be assessed and reported on? 

What resources are available to complete the audit? 

What questions, processes, and resources will not be covered? 

Who? Which agencies and organisations have responsibilities or perspectives 

relevant to the audit? 

Who within relevant agencies and organisations is best positioned to 

provide appropriate and sufficient evidence to answer the audit questions? 

Who is responsible for assuring the reliability of information and data that 

are relevant to your audit? 

Which organisations or persons will be excluded? 

Where? What are the locations to be covered? 

Where are the documents and records that need to be examined? 

What locations will be excluded? 

When? What is the timeframe to be covered? 

Scope Questions 60 

The processes used for defining audit objectives, questions, and scope for performance 

audits are closely related. Clarifying one of these aspects for the audit helps to clarify the 

others. Often, they are developed together for this reason rather than as part of a distinct 

sequential process. 


What is the process used by your audit function for defining audit objectives, questions, 

and scope for performance audits? 

To what extent are inputs from parties other than the internal auditor involved in this 

process? 

Which aspects of defining audit objectives, questions, and scope for performance audits 

are the most difficult and the most important? 

Do experienced internal auditors require additional training when planning a performance 

audit for the first time? 

4B.5 Methodology 

Consideration of methodology forms part of the planning process and will inform how the 

engagement is subsequently performed. Methodology includes the techniques to be chosen 

for collecting and processing information (comparison, measurement, data analytics, 

graphical representations, etc.). Evidence is needed to support the finding elements defined 

in the audit objectives. The typical approach comprises the following: 

 

 

 

Define and document the criteria. 

Determine the condition. 

Establish the effect. 

60 


36

Identify cause. 

This is illustrated in the diagram below: 

Criteria 

Recommendation 

Finding 

Condition 

Effect 

Cause 

These key terms may be defined as follows: 

Elements of Audit Findings 

 

 

 

 

Criteria – what should be found from gathering and processing information about the 

topic area. 

Condition – what was found. 

Effect – the consequences of the condition (likelihood and impacts of resulting risks). 

Cause – what gave rise to the condition discovered. 

Based on their analysis, auditors can communicate their findings to intended users. 

 

Finding – actual performance (economy, effectiveness, and efficiency) with reference 

to the criteria, condition, effect, and cause. Reported findings may be limited to 

deficiency or performance below the desired level as defined by the criteria. 

In addition, auditors may also provide recommendations for addressing weaknesses and 

making improvements. 

Information gathering starts at the earliest stages of planning, including the use of any prestudy, 

and continues throughout the engagement. The processes described below also 

inform the performing stages, beginning in earnest after the planning and preparation. All 

data used needs to be checked for sufficiency, relevance, and reliability. Steps for confirming 

37

eliability may include corroboration, verification, validation, and obtaining additional 

information. 61 

There are different ways of gathering information. Substantive procedures defined by audit 

standards (e.g., ISA 330) 62 generally include the following: 

 

 

 

 

 

 

 

Inspection. 

Observation. 

External confirmation. 

Recalculation. 

Reperformance. 

Analytical procedures (including the use of computer assisted audit tools CAATs). 

Inquiry. 

The IDI handbook provides an alternative and broader way of considering data-gathering 

methods as illustrated below. 

Direct 

observations 

and 

inspection 

Surveys 

Site visits 

File reviews 

and 

structured 

observations 

Small group 

methods 

(e.g., focus 

groups) 

Document 

collection 

Secondary 

data 

Interview 

Data- 

Gathering 

Case 

studies 

Data-Gathering Methods for Performance Audits (based on Performance Audit ISSAI 

Implementation Handbook) 63 

Regardless of the methods used, the auditor must ensure evidence is sufficient, reliable, and 

relevant. Evidence gathering is considered in more detail in section 4C.1 as a major part of 

fieldwork. 

61 

See Rauum and Morgan, Performance Auditing: A Measurement Approach, The Internal 

Audit Research Foundation, 2009. 

62 

See ISA 330, The Auditor’s Response to Assessed Risks, IFAC, 2013. 

63 

See Performance Audit ISSAI Implementation Handbook, IDI, 2021. 

38


Which data gathering methods are favored over others and why? 

Do you report positive findings in performance audits where conditions match or exceed 

the criteria? 

Do you routinely offer recommendations even when performance is at or above the level 

expected? 

4B.6 Audit Criteria 

When evaluating performance, the auditor may focus on processes and/or results. The audit 

may evaluate the adequacy of: 

 

 

How tasks are performed. 

Results achieved. 

The purpose of audit criteria is to establish a basis of measurement of performance through 

a comparison of actual results with expected, desired, and/or reasonable outputs, outcomes, 

and impacts with plans, forecasts, benchmarks, and other standards. The criteria should 

enable the auditor to reach conclusions regarding economy, effectiveness, and efficiency. 

55) The audit criteria represent the standards against which the audit evidence is judged. 

Performance audit criteria are reasonable and attainable, audit specific standards of 

performance against which the economy, efficiency, and effectiveness can be 

assessed and evaluated to determine whether performance falls short of, meets or 

exceeds expectations. The audit criteria are intended to give direction to the 

assessment (helping the auditor to answer questions such as ‘On what grounds is it 

possible to assess actual performance?’ ‘What is required or expected?’ ‘What 

results are to be achieved – and how?’). 

56) In defining audit criteria, the auditor needs to consider that the criteria are relevant, 

understandable, complete, reliable, and objective. These attributes can be described 

as follows: 

a) Relevant audit criteria contribute to conclusions that assist decision-making by 

intended users and to conclusions that answer on the audit questions. 

b) Understandable audit criteria are those that are clearly stated, contribute to clear 

conclusions and are comprehensible to the intended users. They are not subject 

to wide variations in interpretation. 

c) Complete audit criteria are those that are sufficient for the audit purpose and do 

not omit relevant factors. They are meaningful and make it possible to provide the 

intended users with a practical overview for their information and decision-making 

needs. 

d) Reliable audit criteria result in reasonably consistent conclusions when used by 

another auditor in the same circumstances. 

39

e) Objective audit criteria are free from any bias on the part of the auditor or the 

audited entity. 

57) The audit criteria can be qualitative or quantitative and may be general or specific, 

focusing on what is expected, according to sound principles, scientific knowledge and 

best practice; or on what could be (given better conditions) or on what should be 

according to laws, regulations or objectives. Diverse sources, besides legislation, can 

be used to identify audit criteria, including regulations, standards, sound principles 

and best practices, performance measurement frameworks and organisational 

policies and procedures. 

58) Criteria can perform a series of important roles to assist the conduct of a 

performance audit, including: 

a) providing a basis on which procedures can be built for the collection of audit 

evidence; 

b) providing the basis for assessing the evidence, developing audit findings and 

reaching conclusions on the audit objectives; 

c) helping to add form and structure to observations; 

d) forming a common basis for communication within the audit team and with SAI 

management concerning the nature of the audit; and 

e) forming a basis for communication with the audited entity’s management. 

59) In performance auditing, the general concepts of economy, efficiency, and 

effectiveness need to be interpreted in relation to the subject matter, and the 

resulting criteria will usually vary from one audit to another. However, established 

criteria may also be useful for other audits of the same audited entity or for audits of 

entities with a similar scope. 

60) Audit criteria are established by the auditor. However, they must be discussed with 

the audited entity (and possibly with other stakeholders) during the planning phase, 

or at the latest in the conducting phase of the audit. Discussing the audit criteria with 

the audited entity serves to ensure there is a shared and common understanding of 

what criteria will be used as benchmarks when evaluating the audited entity. It is 

therefore important to clearly define the criteria that the audited entity will be 

assessed against. 64 

Examples of performance audit criteria include: 

 

 

 

 

 

 

Laws and regulations applicable to the operation of the audited entities. 

Goals, policies and procedures established by the audited entities. 

Technically-developed standards or norms. 

Expert opinions. 

Procedures for a function or activity. 

Defined business practices. 

64 

GUID 3910 Central Concepts of Performance Auditing, INTOSAI, 2019. 

40

Contracts or grant agreements. 

Benchmarks or performance indicators set by the SAI, the audited entities or other 

relevant entities or sectors. 

Prior periods’ performance. 

Criteria used in similar audits or by other SAIs. (Note: You will need to ensure these 

criteria are still valid.) 65 

Objective 

Understandable 

Reliable 

Testable 

Relevant 

Audit 

criteria 

Complete 

Attributes of Audit Criteria (based on Performance Audit ISSAI Implementation Handbook) 66 

Benchmarks can be used as a way of gauging accomplishments in comparison with 

recognized good practice. They are useful for identifying poor performance and for 

identifying solutions and driving improvements. The adequacy of performance is considered 

against a set of aspirational criteria. Benchmarks may be drawn from within the entity under 

review or from external sources. 

Rauum and Morgan describe a 10-step process for using benchmarks to inform a 

performance audit as illustrated below. 

65 


66 

See Performance Audit ISSAI Implementation Handbook, IDI, 2021. 

41

Establish current 

performance: 

• Select audit subject 

• Select comparison 

entities or locations 

• Apply 

measurements for 

both subject and 

selected 

comparison 

(benchmark) 

Identify 

opportunities for 

improvement 

• Compare 

measurements of 

subject and 

benchmark 

• Estimate the effect 

• Discuss with 

management for 

possible causes 

Collect data on 

causes and 

solutions 

• Map key processes 

• Collect data on 

differences 

between subject 

and benchmark 

• Identify best 

practices and 

barriers 

• Test managementasserted 

causes 

Recommend 

improvements 

• Communicate 

findings and solicit 

comment 

• Identify potential 

solutions and make 

recommendations 

Process for Benchmarking Approach in Performance Audits 67 


What steps are followed to establish appropriate criteria for performance audits? 

How do these differ from similar steps for other kinds of audit engagements? 

What are the risks involved in selecting audit criteria and how can these be managed? 

67 

See Rauum and Morgan, Performance Auditing: A Measurement Approach, The Internal 

Audit Research Foundation, 2009. 

42

Module 4 - Introduction to Performance Audit_4B

Create successful ePaper yourself

Delete template?

Save as template?