Module 4 - Introduction to Performance Audit_4D
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>4D</strong>. Communicating <strong>Performance</strong> <strong>Audit</strong> Engagement<br />
Results (30%)<br />
<strong>4D</strong>. Learning Outcomes<br />
On completion of this <strong>Module</strong>, students will be better able <strong>to</strong>:<br />
<br />
<br />
<br />
<br />
<br />
Describe the requirements for reporting results of performance engagements.<br />
Evaluate the quality of communications.<br />
Develop an effective executive summary.<br />
Generate and communicate appropriate recommendations.<br />
Moni<strong>to</strong>r management actions and implementation of recommendations following a<br />
performance audit.<br />
<strong>4D</strong>.1 <strong>Performance</strong> <strong>Audit</strong> Report<br />
IIA standards describe the requirements for reporting the results of an audit. These<br />
standards cover all types of engagements with no specific direction for performance audits.<br />
2400 – Communicating Results<br />
Internal audi<strong>to</strong>rs must communicate the results of engagements.<br />
2410 – Criteria for Communicating<br />
Communications must include the engagement’s objectives, scope, and results.<br />
2410.A1 Final communication of engagement results must include applicable<br />
conclusions, as well as applicable recommendations and/or action plans. Where<br />
appropriate, the internal audi<strong>to</strong>rs’ opinion should be provided. An opinion must take in<strong>to</strong><br />
account the expectations of senior management, the board, and other stakeholders and<br />
must be supported by sufficient, reliable, relevant, and useful information.<br />
Interpretation:<br />
Opinions at the engagement level may be ratings, conclusions, or other descriptions of<br />
the results. Such an engagement may be in relation <strong>to</strong> controls around a specific<br />
process, risk, or business unit. The formulation of such opinions requires consideration<br />
of the engagement results and their significance.<br />
2410.A2 Internal audi<strong>to</strong>rs are encouraged <strong>to</strong> acknowledge satisfac<strong>to</strong>ry performance in<br />
engagement communications.<br />
2410.A3 When releasing engagement results <strong>to</strong> parties outside the organization, the<br />
communication must include limitations on distribution and use of the results.<br />
2410.C1 Communication of the progress and results of consulting engagements will vary<br />
in form and content depending upon the nature of the engagement and the needs of the<br />
client. 75<br />
75<br />
The International Professional Practices Framework, The IIA, 2016.<br />
53
The format and the style of communications are not prescribed. There may be other<br />
communications in addition <strong>to</strong> the audit report, including close-out meetings and a range of<br />
other formal and informal exchanges throughout the engagement.<br />
The requirements for the quality of communications are defined in Standard 2420 and<br />
illustrated in the diagram below.<br />
Clear<br />
• easily unders<strong>to</strong>od and logical,<br />
avoiding unnecessary<br />
technical language, providing<br />
all significant and relevant<br />
information<br />
Concise<br />
• <strong>to</strong> the point, avoiding<br />
unnecessary elaboration,<br />
superfluous detail,<br />
redundancy, and wordiness<br />
Constructive<br />
• helpful <strong>to</strong> engagement client<br />
and organization leading <strong>to</strong><br />
improvements where needed<br />
Objective<br />
• fair, impartial, and unbiased,<br />
the result of fair-minded and<br />
balanced assessment of all<br />
relevant facts and<br />
circumstance<br />
Complete<br />
• lacking nothing essential <strong>to</strong><br />
target audience including all<br />
significant and relevant<br />
information and observations<br />
<strong>to</strong> support recommendations<br />
and conclusions<br />
Accurate<br />
• free from errors and<br />
dis<strong>to</strong>rtions, faithful <strong>to</strong><br />
underlying facts<br />
Communications<br />
Timely<br />
• opportune and expedient,<br />
depending on significance of<br />
issue, allowing management<br />
<strong>to</strong> take appropriate corrective<br />
action<br />
Requirements for the Quality of Communications 76<br />
Styles of reports should be adopted and adapted <strong>to</strong> meet the needs of the client and other<br />
users. <strong>Audit</strong> report formats have evolved with the advent of more flexible and responsive<br />
methods, taking advantage of technological innovations. The qualities illustrated in the<br />
diagram above need <strong>to</strong> be balanced. For example, completeness can compete with<br />
conciseness and clarity. Accuracy may compete with constructiveness if there are many<br />
deficiencies <strong>to</strong> report. The timeliness of communications can be impacted if great efforts are<br />
spent honing and perfecting the report.<br />
Agile reporting favors shorter formats, recognizing communication is a continuous process<br />
throughout the engagement rather than simply something that occurs at the conclusion.<br />
Results can be shared with management as they emerge from the audit process,<br />
recommendations discussed, and actions agreed even before the report is finalized. Shorter<br />
reports are becoming more common <strong>to</strong> increase their user-friendliness for busy<br />
organizational leaders, providing access <strong>to</strong> fuller detail on a need-<strong>to</strong>-know basis, most likely<br />
76<br />
As defined by Standard 2420, The International Professional Practices Framework, The<br />
IIA, 2016.<br />
54
for the process owners and unit managers. There is great skill and much value in being able<br />
<strong>to</strong> present the most significant results quickly and succinctly. Ratings systems (such as<br />
scoring and color coding) can support rapid communication but are also blunt instruments<br />
that may become a distraction if not used with care. Graphics, diagrams, tables, bullet<br />
points, dynamic dashboards, appendices, and executive summaries can all help readers<br />
navigate reports. Oral presentations supported by slides may be sufficient for some users <strong>to</strong><br />
receive the information they need at the desired level of detail.<br />
Audi<strong>to</strong>rs are well advised <strong>to</strong> think about the format of their report throughout the planning<br />
and fieldwork stages even where the format is somewhat prescribed by the internal audit<br />
unit’s manual and templates. The presentation of findings is greatly enhanced if the audit<br />
objectives and questions are well defined and designed. Nevertheless, there is still a need <strong>to</strong><br />
present results in a well-ordered fashion, as if one is telling a s<strong>to</strong>ry, <strong>to</strong> demonstrate the<br />
linkages and relationships among conditions, causes, and effects. Consequently, the<br />
recommendations will seem <strong>to</strong> flow naturally from the results.<br />
The use of an executive summary benefits the reader by introducing the main headlines<br />
before the possibility of the reader being overwhelmed with detail. The reader is given a<br />
synopsis and can choose what parts of the report they wish <strong>to</strong> turn <strong>to</strong> next for more detail.<br />
The exercise of writing an executive summary is also good for the audi<strong>to</strong>r as it can serve <strong>to</strong><br />
clarify, strengthen, and refine their own understanding of the results and consequently their<br />
ability <strong>to</strong> express them clearly <strong>to</strong> the user.<br />
Executive summaries should be well organized and typically contain the following elements:<br />
<br />
<br />
<br />
<br />
<br />
<br />
Statement of the purpose of the engagement.<br />
Background <strong>to</strong> the subject matter, including reasons why the performance audit was<br />
deemed important enough <strong>to</strong> be included in the plan of engagements, lining the<br />
reasons with entity and sec<strong>to</strong>r-wide goals, policies, priorities, and risks.<br />
Results in brief.<br />
Principal findings.<br />
Recommendations.<br />
Management response and agreed actions.<br />
A close-out conference, briefing, or multiple briefings <strong>to</strong> process owners, unit managers,<br />
project leaders, senior management, governing bodies, and audit committees may be<br />
planned <strong>to</strong> support the release of the report. This may extend further, more likely in the case<br />
of external audit engagements, <strong>to</strong> include other oversight bodies and stakeholders, including<br />
line ministries, parliament, the cabinet, representatives of civil society, and possibly even the<br />
media. It goes without saying that these should be planned carefully <strong>to</strong> satisfy all the<br />
requirements for the quality of communications related <strong>to</strong> the needs and interests of the<br />
audience, taking account of data privacy and protection, public interest, national security,<br />
and political sensitivities.<br />
For internal audit functions, the head of the unit is required <strong>to</strong> “communicate results <strong>to</strong> the<br />
appropriate parties.” 77 In particular:<br />
77<br />
Standard 2440 – Disseminating Results, The International Professional Practices<br />
Framework, The IIA, 2016.<br />
55
The chief audit executive is responsible for reviewing and approving the final<br />
engagement communication before issuance and for deciding <strong>to</strong> whom and how it<br />
will be disseminated. When the chief audit executive delegates these duties, he or<br />
she retains overall responsibility.<br />
2440.A1 The chief audit executive is responsible for communicating the final results<br />
<strong>to</strong> parties who can ensure that the results are given due consideration.<br />
2440.A2 If not otherwise mandated by legal, statu<strong>to</strong>ry, or regula<strong>to</strong>ry requirements,<br />
prior <strong>to</strong> releasing results <strong>to</strong> parties outside the organization the chief audit executive<br />
must:<br />
Assess the potential risk <strong>to</strong> the organization.<br />
Consult with senior management and/or legal counsel as appropriate.<br />
Control dissemination by restricting the use of the results. 78<br />
If the report contains an opinion, there are additional requirements.<br />
2450 – Overall Opinions<br />
When an overall opinion is issued, it must take in<strong>to</strong> account the strategies,<br />
objectives, and risks of the organization; and the expectations of senior<br />
management, the board, and other stakeholders. The overall opinion must be<br />
supported by sufficient, reliable, relevant, and useful information.<br />
Interpretation:<br />
The communication will include:<br />
<br />
<br />
<br />
<br />
<br />
<br />
The scope, including the time period <strong>to</strong> which the opinion pertains.<br />
Scope limitations.<br />
Consideration of all related projects, including the reliance on other assurance<br />
providers.<br />
A summary of the information that supports the opinion.<br />
The risk or control framework or other criteria used as a basis for the overall<br />
opinion.<br />
The overall opinion, judgment, or conclusion reached. The reasons for an<br />
unfavorable overall opinion must be stated. 79<br />
Regarding the final bullet above, in some situations overall opinions are only offered by<br />
external audi<strong>to</strong>rs as part of a financial audit and therefore external audi<strong>to</strong>rs must adhere <strong>to</strong><br />
relevant ISSAI standards. All reports and briefings should be subject <strong>to</strong> a formal process of<br />
review and quality assurance.<br />
<strong>4D</strong>.1: Reflection<br />
78<br />
Standard 2440 – Disseminating Results, The International Professional Practices<br />
Framework, The IIA, 2016.<br />
79<br />
The International Professional Practices Framework, The IIA, 2016.<br />
56
What format do your internal audit reports take?<br />
Is the format varied for performance engagements?<br />
Do the reports include ratings and executive summaries?<br />
Has your internal audit function worked with clients and other intended report users <strong>to</strong><br />
develop the style, format, length, timing, delivery method, use of graphics, and other<br />
features?<br />
<strong>4D</strong>.2 Moni<strong>to</strong>ring and Follow-Up<br />
Delivery of the audit report does not mark the end of the engagement. Audi<strong>to</strong>rs are required<br />
<strong>to</strong> moni<strong>to</strong>r the disposition of results by tracking agreed management actions.<br />
2500 – Moni<strong>to</strong>ring Progress<br />
The chief audit executive must establish and maintain a system <strong>to</strong> moni<strong>to</strong>r the<br />
disposition of results communicated <strong>to</strong> management.<br />
2500.A1 The chief audit executive must establish a follow-up process <strong>to</strong> moni<strong>to</strong>r and<br />
ensure that management actions have been effectively implemented or that senior<br />
management has accepted the risk of not taking action.<br />
2500.C1 The internal audit activity must moni<strong>to</strong>r the disposition of results of consulting<br />
engagements <strong>to</strong> the extent agreed upon with the client.<br />
The purpose of follow-up is <strong>to</strong> ensure the value of the performance engagement is<br />
optimized. Audi<strong>to</strong>rs are expected <strong>to</strong> report on the progress made by those responsible for<br />
completing the agreed actions and making necessary improvements.<br />
This applies equally <strong>to</strong> performance audits. There is a similar requirement for external<br />
audi<strong>to</strong>rs given in ISSAI 3000:<br />
136) The audi<strong>to</strong>r shall follow up, as appropriate, on previous audit findings and<br />
recommendations and the SAI shall report <strong>to</strong> the legislature, if possible, on the<br />
conclusions and impacts of all relevant corrective actions. 80<br />
“Follow-up” is defined as “the audi<strong>to</strong>r’s examination of the corrective actions taken by the<br />
audited entity, or other responsible party, based on the results of a performance audit.” Like<br />
the audit itself, follow-up must be conducted under conditions of independence and<br />
objectivity. The audit function (whether internal or external) determines how the follow-up will<br />
be undertaken and which actions and recommendations are prioritized in the review.<br />
GUID 3920 describes four main reasons for conducting follow-up:<br />
a) Identify the extent <strong>to</strong> which audited entities have implemented changes in response<br />
<strong>to</strong> audit findings and recommendations.<br />
b) Determine the impacts which can be attributed <strong>to</strong> the audits<br />
c) Identify areas that would be useful <strong>to</strong> follow up in future work.<br />
80<br />
ISSAI 3000 <strong>Performance</strong> <strong>Audit</strong> Standard, INTOSAI, 2019.<br />
57
d) Evaluate the SAI’s performance. Follow-up provides a basis for assessing and<br />
evaluating SAI performance and may contribute <strong>to</strong> better knowledge and improved<br />
practices in the SAI. In this respect a follow-up of audit reports is also a selfassessment<br />
<strong>to</strong>ol. 81<br />
Follow-up should be carefully planned by the audi<strong>to</strong>r with clear objectives that are<br />
communicated with the responsible party in advance. The timing of the follow-up should be<br />
based on consideration of policy priorities, risks, complexity, public interest, and political<br />
sensitivity. From the assessment made, the audi<strong>to</strong>r may conclude actions have been wholly<br />
or partially implemented, or not implemented. In some cases, as circumstances change,<br />
some recommendations may no longer be relevant. It is also possible, due <strong>to</strong> constraints of<br />
time, resources, and other practical considerations, that it is not possible <strong>to</strong> reach a<br />
conclusion on the status of a recommendation or agreed action. These are illustrated in the<br />
diagram below.<br />
Not<br />
implemented<br />
Partially<br />
implemented<br />
No longer<br />
relevant<br />
Fully<br />
implemented<br />
Implementation<br />
status<br />
Could not be<br />
verified<br />
Implementation Status of Agreed Actions and Recommendations<br />
The results of moni<strong>to</strong>ring and follow-up need <strong>to</strong> be reported in accordance with the<br />
standards referenced previously related <strong>to</strong> communications.<br />
<strong>4D</strong>.2: Reflection<br />
How do you decide when <strong>to</strong> schedule the follow-up <strong>to</strong> an audit engagement audit?<br />
Is it ever necessary <strong>to</strong> schedule multiple follow-ups?<br />
81<br />
GUID 3920 The <strong>Performance</strong> <strong>Audit</strong>ing Process, INTOSAI, 2019.<br />
58
What format does your follow-up report take? Who are the intended users?<br />
59
Appendix 1: Extract from IIA Competency Framework<br />
Engagement planning<br />
• Objectives and scope<br />
• Risk assessment<br />
• Work program<br />
• Resources<br />
Competency Level<br />
General Awareness Applied Knowledge Expert<br />
Describe the key roles and<br />
activities involved in<br />
establishing the objectives,<br />
evaluation criteria, and scope<br />
of an engagement.<br />
Determine the objectives,<br />
evaluation criteria, and scope of<br />
an engagement.<br />
Describe the purpose of<br />
performing a risk assessment<br />
during engagement planning<br />
and the steps involved.<br />
Describe the purpose of an<br />
engagement work program<br />
and key components.<br />
Describe the fac<strong>to</strong>rs that<br />
influence planning for staffing<br />
and resource planning for an<br />
engagement.<br />
Complete a detailed risk<br />
assessment, including<br />
prioritizing key risks and<br />
controls.<br />
Prepare an engagement work<br />
program.<br />
Determine staff and resources<br />
for an engagement.<br />
Evaluate the audit<br />
engagement’s objectives and<br />
scope <strong>to</strong> ensure the quality of<br />
the engagement.<br />
Evaluate the risk assessment<br />
process during the audit<br />
engagement.<br />
Assess the audit engagement<br />
work program.<br />
Evaluate audit engagement<br />
staffing and resources.<br />
Engagement fieldwork<br />
• Information gathering<br />
• Sampling<br />
• Computer-assisted audit <strong>to</strong>ols and techniques<br />
• Data analytics<br />
• Evidence<br />
• Process mapping<br />
• Analytical review<br />
• Documentation<br />
Competency Level<br />
General Awareness Applied Knowledge Expert<br />
Describe the purpose of<br />
preliminary surveys of the<br />
engagement area, checklists,<br />
and risk-and control<br />
questionnaires.<br />
Describe the various<br />
approaches <strong>to</strong> sampling,<br />
including advantages and<br />
drawbacks of each.<br />
Describe the purpose,<br />
advantages, and<br />
disadvantages of using<br />
computer-assisted audit <strong>to</strong>ols<br />
and techniques.<br />
Perform a preliminary survey of<br />
the engagement area; develop<br />
checklists and risk-and-control<br />
questionnaires; examine<br />
relevant information during an<br />
engagement.<br />
Apply appropriate sampling<br />
techniques.<br />
Use computer-assisted audit<br />
<strong>to</strong>ols and techniques.<br />
Evaluate engagement<br />
information gathering<br />
activities.<br />
Evaluate audit engagement<br />
sampling activities.<br />
Evaluate the use of computer<br />
assisted audit <strong>to</strong>ols and<br />
techniques during the audit<br />
engagement.<br />
60
Describe data analytics, the<br />
data analytics process, and<br />
the application of data<br />
analytics methods in internal<br />
auditing.<br />
Recognize potential sources of<br />
evidence.<br />
Describe the purpose,<br />
advantages, and<br />
disadvantages of various<br />
process mapping techniques.<br />
Describe the purpose,<br />
advantages, and<br />
disadvantages of various<br />
analytical review techniques.<br />
Describe documentation and<br />
workpaper requirements.<br />
Apply data analytics methods.<br />
Evaluate the relevance,<br />
sufficiency, and reliability of<br />
potential sources of evidence.<br />
Apply appropriate analytical<br />
approaches and process<br />
mapping techniques.<br />
Determine and apply analytical<br />
review techniques.<br />
Prepare workpapers and<br />
documentation.<br />
Evaluate the use of data<br />
analytics in internal auditing.<br />
Develop guideline <strong>to</strong> ensure<br />
evidence is relevant, sufficient,<br />
and reliable.<br />
Evaluate process mapping of<br />
the audit engagement.<br />
Evaluate analytical review<br />
techniques implemented<br />
during the audit engagement.<br />
Evaluate audit engagement<br />
documentation.<br />
Engagement outcomes<br />
• Communication quality<br />
• Conclusions<br />
• Recommendations<br />
• Reporting<br />
• Residual risk and risk acceptance<br />
• Management action plan<br />
• Results moni<strong>to</strong>ring<br />
Competency Level<br />
General Awareness Applied Knowledge Expert<br />
Demonstrate quality<br />
engagement communications,<br />
including preliminary<br />
communication with<br />
engagement clients.<br />
Describe the elements of<br />
quality engagement<br />
communications.<br />
Recognize the elements of an<br />
appropriate engagement<br />
conclusion.<br />
Recognize the importance of<br />
providing recommendations.<br />
Describe the engagement<br />
communication and reporting<br />
process, including interim<br />
reporting, the exit conference,<br />
obtaining management’s<br />
response, the report approval<br />
process, and distribution of the<br />
report.<br />
Summarize and develop<br />
engagement conclusions.<br />
Formulate recommendations <strong>to</strong><br />
enhance and protect<br />
organizational value.<br />
Prepare an interim report;<br />
prepare a final audit report,<br />
seek approval, and distribute <strong>to</strong><br />
appropriate parties.<br />
Evaluate audit engagement<br />
communications.<br />
Evaluate audit engagement<br />
conclusions.<br />
Evaluate audit engagement<br />
recommendations.<br />
Review and approve<br />
engagement reports;<br />
recommend distribution of the<br />
report <strong>to</strong> appropriate parties.<br />
61
Describe the chief audit<br />
executive’s responsibility for<br />
identifying and assessing the<br />
residual risk and the process<br />
for communicating<br />
management’s acceptance of<br />
risk.<br />
Describe engagement<br />
outcomes; describe the<br />
purpose of a management<br />
action plan.<br />
Recognize the importance of<br />
moni<strong>to</strong>ring and follow-up on<br />
the disposition of audit<br />
engagement results<br />
communicated <strong>to</strong> management<br />
and the board.<br />
Identify residual risk.<br />
Assess engagement outcomes,<br />
including the management<br />
action plan.<br />
Manage moni<strong>to</strong>ring and follow<br />
up of the disposition of audit<br />
engagement results<br />
communicated <strong>to</strong> management<br />
and the board.<br />
Assess the impact of residual<br />
risk; communicate<br />
management’s acceptance of<br />
risk <strong>to</strong> senior management and<br />
the board.<br />
Evaluate the collective<br />
outcomes of engagements<br />
performed by the internal audit<br />
activity.<br />
Evaluate moni<strong>to</strong>ring and<br />
follow-up performed by the<br />
internal audit activity.<br />
Internal Audi<strong>to</strong>r Competencies Relevant <strong>to</strong> <strong>Performance</strong> <strong>Audit</strong>ing 82<br />
82<br />
Taken from The IIA’s Internal <strong>Audit</strong> Competency Framework, The IIA, 2022.<br />
62
References and Additional Reading<br />
Competency Framework for Public Sec<strong>to</strong>r <strong>Audit</strong> Professionals at Supreme <strong>Audit</strong> Institutions,<br />
INTOSAI, 2019. https://www.in<strong>to</strong>saicbc.org/wp-content/uploads/2019/09/5.-INTOSAI-<br />
Competency-Framework-revised.pdf<br />
European Court of Audi<strong>to</strong>rs “Developing the <strong>Audit</strong> Objectives,” 2013.<br />
https://www.eca.europa.eu/lists/ecadocuments/guideline_audit_objectives/audi<strong>to</strong>bjectives-guideline-en-oct2013.pdf<br />
GUID 3910 Central Concepts of <strong>Performance</strong> <strong>Audit</strong>ing, INTOSAI, 2019.<br />
https://www.issai.org/wp-content/uploads/2019/08/GUID-3910-Central-Concepts-for-<br />
<strong>Performance</strong>-<strong>Audit</strong>ing.pdf<br />
GUID 3920 The <strong>Performance</strong> <strong>Audit</strong>ing Process, INTOSAI, 2019. https://www.issai.org/wpcontent/uploads/2019/08/GUID-3920-The-<strong>Performance</strong>-<strong>Audit</strong>ing-Process.pdf<br />
Indica<strong>to</strong>rs of Inputs, Activities, Outputs, Outcomes and Impacts in Security and Justice<br />
Programming, Department of International Development, 2013.<br />
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment<br />
_data/file/304626/Indica<strong>to</strong>rs.pdf<br />
Internal <strong>Audit</strong>: How <strong>to</strong> Conduct a <strong>Performance</strong> <strong>Audit</strong>, TDOT, 2016.<br />
https://www.tn.gov/content/dam/tn/tdot/documents/Internal<strong>Audit</strong>/How_<strong>to</strong>_Conduct_a_Per<br />
formance_<strong>Audit</strong>.pdf<br />
The International Professional Practices Framework, The IIA, 2016.<br />
https://www.theiia.org/en/standards/international-professional-practices-framework/<br />
ISA 315 (Revised 2019): Identifying and Assessing the Risks of Material Misstatement,<br />
IAASB, 2019. https://www.iaasb.org/publications/isa-315-revised-2019-identifying-andassessing-risks-material-misstatement<br />
ISA 330, the Audi<strong>to</strong>r’s Response <strong>to</strong> Assessed Risks, IFAC, 2013.<br />
https://www.ifac.org/_flysystem/azureprivate/publications/files/A019%202013%20IAASB%20Handbook%20ISA%20330.pdf<br />
ISSAI 100 Fundamental Principles of Public Sec<strong>to</strong>r <strong>Audit</strong>ing, INTOSAI, 2019.<br />
https://www.issai.org/wp-content/uploads/2019/08/ISSAI-100-Fundamental-Principles-of-<br />
Public-Sec<strong>to</strong>r-<strong>Audit</strong>ing.pdf<br />
ISSAI 140 Quality Control for SAIs, INTOSAI, 2019.<br />
https://www.issai.org/pronouncements/issai-140-quality-control-for-sais/<br />
ISSAI 300 <strong>Performance</strong> <strong>Audit</strong> Principles, INTOSAI, 2019.<br />
https://www.issai.org/pronouncements/issai-300-performance-audit-principles/<br />
ISSAI 3000 <strong>Performance</strong> <strong>Audit</strong> Standard, INTOSAI, 2019. https://www.issai.org/wpcontent/uploads/2019/08/ISSAI-3000-<strong>Performance</strong>-<strong>Audit</strong>-Standard.pdf<br />
Law No. 114/2015 on Internal <strong>Audit</strong> in the Public Sec<strong>to</strong>r, Republic of Albania Assembly,<br />
2015. https://shtetiweb.org/wpcontent/uploads/2015/12/ligj_nr_114_dt_22_10_2015_24469_1.pdf<br />
Law No. 154/2014 for the Organization and Functioning of the State High Control, Republic<br />
of Albania, 2014. https://www.dap.gov.al/images/LegjislacioniAP/ligj_154_27.11.2014.pdf<br />
63
<strong>Performance</strong> <strong>Audit</strong> ISSAI Implementation Handbook, IDI, 2021. https://www.idi.no/workstreams/professional-sais/work-stream-library/performance-audit-issai-implementationhandbook<br />
<strong>Performance</strong> <strong>Audit</strong>ing, KPMG, 2013.<br />
https://assets.kpmg.com/content/dam/kpmg/pdf/2016/05/<strong>Performance</strong>-<strong>Audit</strong>ing.pdf<br />
Practice Guide: Unique Aspects of Internal <strong>Audit</strong>ing in the Public Sec<strong>to</strong>r, The IIA, 2022.<br />
https://www.theiia.org/en/content/guidance/recommended/supplemental/practiceguides/unique-aspects-of-internal-auditing-in-the-public-sec<strong>to</strong>r/<br />
Rauum and Morgan, <strong>Performance</strong> <strong>Audit</strong>ing: A Measurement Approach, The Internal <strong>Audit</strong><br />
Research Foundation, 2009.<br />
The IIA’s Internal <strong>Audit</strong> Competency Framework, The IIA, 2022.<br />
https://www.theiia.org/en/resources/internal-audit-competency-framework/<br />
64
65
CIPFA: 77 Mansell Street, London E1 8AN<br />
+44 20 7543 5600<br />
cipfa.org<br />
CEF: Cankarjeva cesta 18, 1000 Ljubljana, Slovenia<br />
+386 1 369 61 90<br />
cef-see.org<br />
66