Module 4 - Introduction to Performance Audit_4D

4D. Communicating Performance Audit Engagement
Results (30%)
4D. Learning Outcomes
On completion of this Module, students will be better able to:
Describe the requirements for reporting results of performance engagements.
Evaluate the quality of communications.
Develop an effective executive summary.
Generate and communicate appropriate recommendations.
Monitor management actions and implementation of recommendations following a
performance audit.
4D.1 Performance Audit Report
IIA standards describe the requirements for reporting the results of an audit. These
standards cover all types of engagements with no specific direction for performance audits.
2400 – Communicating Results
Internal auditors must communicate the results of engagements.
2410 – Criteria for Communicating
Communications must include the engagement’s objectives, scope, and results.
2410.A1 Final communication of engagement results must include applicable
conclusions, as well as applicable recommendations and/or action plans. Where
appropriate, the internal auditors’ opinion should be provided. An opinion must take into
account the expectations of senior management, the board, and other stakeholders and
must be supported by sufficient, reliable, relevant, and useful information.
Interpretation:
Opinions at the engagement level may be ratings, conclusions, or other descriptions of
the results. Such an engagement may be in relation to controls around a specific
process, risk, or business unit. The formulation of such opinions requires consideration
of the engagement results and their significance.
2410.A2 Internal auditors are encouraged to acknowledge satisfactory performance in
engagement communications.
2410.A3 When releasing engagement results to parties outside the organization, the
communication must include limitations on distribution and use of the results.
2410.C1 Communication of the progress and results of consulting engagements will vary
in form and content depending upon the nature of the engagement and the needs of the
client. 75
75
The International Professional Practices Framework, The IIA, 2016.
53

The format and the style of communications are not prescribed. There may be other
communications in addition to the audit report, including close-out meetings and a range of
other formal and informal exchanges throughout the engagement.
The requirements for the quality of communications are defined in Standard 2420 and
illustrated in the diagram below.
Clear
• easily understood and logical,
avoiding unnecessary
technical language, providing
all significant and relevant
information
Concise
• to the point, avoiding
unnecessary elaboration,
superfluous detail,
redundancy, and wordiness
Constructive
• helpful to engagement client
and organization leading to
improvements where needed
Objective
• fair, impartial, and unbiased,
the result of fair-minded and
balanced assessment of all
relevant facts and
circumstance
Complete
• lacking nothing essential to
target audience including all
significant and relevant
information and observations
to support recommendations
and conclusions
Accurate
• free from errors and
distortions, faithful to
underlying facts
Communications
Timely
• opportune and expedient,
depending on significance of
issue, allowing management
to take appropriate corrective
action
Requirements for the Quality of Communications 76
Styles of reports should be adopted and adapted to meet the needs of the client and other
users. Audit report formats have evolved with the advent of more flexible and responsive
methods, taking advantage of technological innovations. The qualities illustrated in the
diagram above need to be balanced. For example, completeness can compete with
conciseness and clarity. Accuracy may compete with constructiveness if there are many
deficiencies to report. The timeliness of communications can be impacted if great efforts are
spent honing and perfecting the report.
Agile reporting favors shorter formats, recognizing communication is a continuous process
throughout the engagement rather than simply something that occurs at the conclusion.
Results can be shared with management as they emerge from the audit process,
recommendations discussed, and actions agreed even before the report is finalized. Shorter
reports are becoming more common to increase their user-friendliness for busy
organizational leaders, providing access to fuller detail on a need-to-know basis, most likely
76
As defined by Standard 2420, The International Professional Practices Framework, The
IIA, 2016.
54

for the process owners and unit managers. There is great skill and much value in being able
to present the most significant results quickly and succinctly. Ratings systems (such as
scoring and color coding) can support rapid communication but are also blunt instruments
that may become a distraction if not used with care. Graphics, diagrams, tables, bullet
points, dynamic dashboards, appendices, and executive summaries can all help readers
navigate reports. Oral presentations supported by slides may be sufficient for some users to
receive the information they need at the desired level of detail.
Auditors are well advised to think about the format of their report throughout the planning
and fieldwork stages even where the format is somewhat prescribed by the internal audit
unit’s manual and templates. The presentation of findings is greatly enhanced if the audit
objectives and questions are well defined and designed. Nevertheless, there is still a need to
present results in a well-ordered fashion, as if one is telling a story, to demonstrate the
linkages and relationships among conditions, causes, and effects. Consequently, the
recommendations will seem to flow naturally from the results.
The use of an executive summary benefits the reader by introducing the main headlines
before the possibility of the reader being overwhelmed with detail. The reader is given a
synopsis and can choose what parts of the report they wish to turn to next for more detail.
The exercise of writing an executive summary is also good for the auditor as it can serve to
clarify, strengthen, and refine their own understanding of the results and consequently their
ability to express them clearly to the user.
Executive summaries should be well organized and typically contain the following elements:
Statement of the purpose of the engagement.
Background to the subject matter, including reasons why the performance audit was
deemed important enough to be included in the plan of engagements, lining the
reasons with entity and sector-wide goals, policies, priorities, and risks.
Results in brief.
Principal findings.
Recommendations.
Management response and agreed actions.
A close-out conference, briefing, or multiple briefings to process owners, unit managers,
project leaders, senior management, governing bodies, and audit committees may be
planned to support the release of the report. This may extend further, more likely in the case
of external audit engagements, to include other oversight bodies and stakeholders, including
line ministries, parliament, the cabinet, representatives of civil society, and possibly even the
media. It goes without saying that these should be planned carefully to satisfy all the
requirements for the quality of communications related to the needs and interests of the
audience, taking account of data privacy and protection, public interest, national security,
and political sensitivities.
For internal audit functions, the head of the unit is required to “communicate results to the
appropriate parties.” 77 In particular:
77
Standard 2440 – Disseminating Results, The International Professional Practices
Framework, The IIA, 2016.
55

The chief audit executive is responsible for reviewing and approving the final
engagement communication before issuance and for deciding to whom and how it
will be disseminated. When the chief audit executive delegates these duties, he or
she retains overall responsibility.
2440.A1 The chief audit executive is responsible for communicating the final results
to parties who can ensure that the results are given due consideration.
2440.A2 If not otherwise mandated by legal, statutory, or regulatory requirements,
prior to releasing results to parties outside the organization the chief audit executive
must:
Assess the potential risk to the organization.
Consult with senior management and/or legal counsel as appropriate.
Control dissemination by restricting the use of the results. 78
If the report contains an opinion, there are additional requirements.
2450 – Overall Opinions
When an overall opinion is issued, it must take into account the strategies,
objectives, and risks of the organization; and the expectations of senior
management, the board, and other stakeholders. The overall opinion must be
supported by sufficient, reliable, relevant, and useful information.
Interpretation:
The communication will include:
The scope, including the time period to which the opinion pertains.
Scope limitations.
Consideration of all related projects, including the reliance on other assurance
providers.
A summary of the information that supports the opinion.
The risk or control framework or other criteria used as a basis for the overall
opinion.
The overall opinion, judgment, or conclusion reached. The reasons for an
unfavorable overall opinion must be stated. 79
Regarding the final bullet above, in some situations overall opinions are only offered by
external auditors as part of a financial audit and therefore external auditors must adhere to
relevant ISSAI standards. All reports and briefings should be subject to a formal process of
review and quality assurance.
4D.1: Reflection
78
Standard 2440 – Disseminating Results, The International Professional Practices
Framework, The IIA, 2016.
79
The International Professional Practices Framework, The IIA, 2016.
56

What format do your internal audit reports take?
Is the format varied for performance engagements?
Do the reports include ratings and executive summaries?
Has your internal audit function worked with clients and other intended report users to
develop the style, format, length, timing, delivery method, use of graphics, and other
features?
4D.2 Monitoring and Follow-Up
Delivery of the audit report does not mark the end of the engagement. Auditors are required
to monitor the disposition of results by tracking agreed management actions.
2500 – Monitoring Progress
The chief audit executive must establish and maintain a system to monitor the
disposition of results communicated to management.
2500.A1 The chief audit executive must establish a follow-up process to monitor and
ensure that management actions have been effectively implemented or that senior
management has accepted the risk of not taking action.
2500.C1 The internal audit activity must monitor the disposition of results of consulting
engagements to the extent agreed upon with the client.
The purpose of follow-up is to ensure the value of the performance engagement is
optimized. Auditors are expected to report on the progress made by those responsible for
completing the agreed actions and making necessary improvements.
This applies equally to performance audits. There is a similar requirement for external
auditors given in ISSAI 3000:
136) The auditor shall follow up, as appropriate, on previous audit findings and
recommendations and the SAI shall report to the legislature, if possible, on the
conclusions and impacts of all relevant corrective actions. 80
“Follow-up” is defined as “the auditor’s examination of the corrective actions taken by the
audited entity, or other responsible party, based on the results of a performance audit.” Like
the audit itself, follow-up must be conducted under conditions of independence and
objectivity. The audit function (whether internal or external) determines how the follow-up will
be undertaken and which actions and recommendations are prioritized in the review.
GUID 3920 describes four main reasons for conducting follow-up:
a) Identify the extent to which audited entities have implemented changes in response
to audit findings and recommendations.
b) Determine the impacts which can be attributed to the audits
c) Identify areas that would be useful to follow up in future work.
80
ISSAI 3000 Performance Audit Standard, INTOSAI, 2019.
57

d) Evaluate the SAI’s performance. Follow-up provides a basis for assessing and
evaluating SAI performance and may contribute to better knowledge and improved
practices in the SAI. In this respect a follow-up of audit reports is also a selfassessment
tool. 81
Follow-up should be carefully planned by the auditor with clear objectives that are
communicated with the responsible party in advance. The timing of the follow-up should be
based on consideration of policy priorities, risks, complexity, public interest, and political
sensitivity. From the assessment made, the auditor may conclude actions have been wholly
or partially implemented, or not implemented. In some cases, as circumstances change,
some recommendations may no longer be relevant. It is also possible, due to constraints of
time, resources, and other practical considerations, that it is not possible to reach a
conclusion on the status of a recommendation or agreed action. These are illustrated in the
diagram below.
Not
implemented
Partially
implemented
No longer
relevant
Fully
implemented
Implementation
status
Could not be
verified
Implementation Status of Agreed Actions and Recommendations
The results of monitoring and follow-up need to be reported in accordance with the
standards referenced previously related to communications.
4D.2: Reflection
How do you decide when to schedule the follow-up to an audit engagement audit?
Is it ever necessary to schedule multiple follow-ups?
81
GUID 3920 The Performance Auditing Process, INTOSAI, 2019.
58

What format does your follow-up report take? Who are the intended users?
59

Appendix 1: Extract from IIA Competency Framework
Engagement planning
• Objectives and scope
• Risk assessment
• Work program
• Resources
Competency Level
General Awareness Applied Knowledge Expert
Describe the key roles and
activities involved in
establishing the objectives,
evaluation criteria, and scope
of an engagement.
Determine the objectives,
evaluation criteria, and scope of
an engagement.
Describe the purpose of
performing a risk assessment
during engagement planning
and the steps involved.
Describe the purpose of an
engagement work program
and key components.
Describe the factors that
influence planning for staffing
and resource planning for an
engagement.
Complete a detailed risk
assessment, including
prioritizing key risks and
controls.
Prepare an engagement work
program.
Determine staff and resources
for an engagement.
Evaluate the audit
engagement’s objectives and
scope to ensure the quality of
the engagement.
Evaluate the risk assessment
process during the audit
engagement.
Assess the audit engagement
work program.
Evaluate audit engagement
staffing and resources.
Engagement fieldwork
• Information gathering
• Sampling
• Computer-assisted audit tools and techniques
• Data analytics
• Evidence
• Process mapping
• Analytical review
• Documentation
Competency Level
General Awareness Applied Knowledge Expert
Describe the purpose of
preliminary surveys of the
engagement area, checklists,
and risk-and control
questionnaires.
Describe the various
approaches to sampling,
including advantages and
drawbacks of each.
Describe the purpose,
advantages, and
disadvantages of using
computer-assisted audit tools
and techniques.
Perform a preliminary survey of
the engagement area; develop
checklists and risk-and-control
questionnaires; examine
relevant information during an
engagement.
Apply appropriate sampling
techniques.
Use computer-assisted audit
tools and techniques.
Evaluate engagement
information gathering
activities.
Evaluate audit engagement
sampling activities.
Evaluate the use of computer
assisted audit tools and
techniques during the audit
engagement.
60

Describe data analytics, the
data analytics process, and
the application of data
analytics methods in internal
auditing.
Recognize potential sources of
evidence.
Describe the purpose,
advantages, and
disadvantages of various
process mapping techniques.
Describe the purpose,
advantages, and
disadvantages of various
analytical review techniques.
Describe documentation and
workpaper requirements.
Apply data analytics methods.
Evaluate the relevance,
sufficiency, and reliability of
potential sources of evidence.
Apply appropriate analytical
approaches and process
mapping techniques.
Determine and apply analytical
review techniques.
Prepare workpapers and
documentation.
Evaluate the use of data
analytics in internal auditing.
Develop guideline to ensure
evidence is relevant, sufficient,
and reliable.
Evaluate process mapping of
the audit engagement.
Evaluate analytical review
techniques implemented
during the audit engagement.
Evaluate audit engagement
documentation.
Engagement outcomes
• Communication quality
• Conclusions
• Recommendations
• Reporting
• Residual risk and risk acceptance
• Management action plan
• Results monitoring
Competency Level
General Awareness Applied Knowledge Expert
Demonstrate quality
engagement communications,
including preliminary
communication with
engagement clients.
Describe the elements of
quality engagement
communications.
Recognize the elements of an
appropriate engagement
conclusion.
Recognize the importance of
providing recommendations.
Describe the engagement
communication and reporting
process, including interim
reporting, the exit conference,
obtaining management’s
response, the report approval
process, and distribution of the
report.
Summarize and develop
engagement conclusions.
Formulate recommendations to
enhance and protect
organizational value.
Prepare an interim report;
prepare a final audit report,
seek approval, and distribute to
appropriate parties.
Evaluate audit engagement
communications.
Evaluate audit engagement
conclusions.
Evaluate audit engagement
recommendations.
Review and approve
engagement reports;
recommend distribution of the
report to appropriate parties.
61

Describe the chief audit
executive’s responsibility for
identifying and assessing the
residual risk and the process
for communicating
management’s acceptance of
risk.
Describe engagement
outcomes; describe the
purpose of a management
action plan.
Recognize the importance of
monitoring and follow-up on
the disposition of audit
engagement results
communicated to management
and the board.
Identify residual risk.
Assess engagement outcomes,
including the management
action plan.
Manage monitoring and follow
up of the disposition of audit
engagement results
communicated to management
and the board.
Assess the impact of residual
risk; communicate
management’s acceptance of
risk to senior management and
the board.
Evaluate the collective
outcomes of engagements
performed by the internal audit
activity.
Evaluate monitoring and
follow-up performed by the
internal audit activity.
Internal Auditor Competencies Relevant to Performance Auditing 82
82
Taken from The IIA’s Internal Audit Competency Framework, The IIA, 2022.
62

References and Additional Reading
Competency Framework for Public Sector Audit Professionals at Supreme Audit Institutions,
INTOSAI, 2019. https://www.intosaicbc.org/wp-content/uploads/2019/09/5.-INTOSAI-
Competency-Framework-revised.pdf
European Court of Auditors “Developing the Audit Objectives,” 2013.
https://www.eca.europa.eu/lists/ecadocuments/guideline_audit_objectives/auditobjectives-guideline-en-oct2013.pdf
GUID 3910 Central Concepts of Performance Auditing, INTOSAI, 2019.
https://www.issai.org/wp-content/uploads/2019/08/GUID-3910-Central-Concepts-for-
Performance-Auditing.pdf
GUID 3920 The Performance Auditing Process, INTOSAI, 2019. https://www.issai.org/wpcontent/uploads/2019/08/GUID-3920-The-Performance-Auditing-Process.pdf
Indicators of Inputs, Activities, Outputs, Outcomes and Impacts in Security and Justice
Programming, Department of International Development, 2013.
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment
_data/file/304626/Indicators.pdf
Internal Audit: How to Conduct a Performance Audit, TDOT, 2016.
https://www.tn.gov/content/dam/tn/tdot/documents/InternalAudit/How_to_Conduct_a_Per
formance_Audit.pdf
The International Professional Practices Framework, The IIA, 2016.
https://www.theiia.org/en/standards/international-professional-practices-framework/
ISA 315 (Revised 2019): Identifying and Assessing the Risks of Material Misstatement,
IAASB, 2019. https://www.iaasb.org/publications/isa-315-revised-2019-identifying-andassessing-risks-material-misstatement
ISA 330, the Auditor’s Response to Assessed Risks, IFAC, 2013.
https://www.ifac.org/_flysystem/azureprivate/publications/files/A019%202013%20IAASB%20Handbook%20ISA%20330.pdf
ISSAI 100 Fundamental Principles of Public Sector Auditing, INTOSAI, 2019.
https://www.issai.org/wp-content/uploads/2019/08/ISSAI-100-Fundamental-Principles-of-
Public-Sector-Auditing.pdf
ISSAI 140 Quality Control for SAIs, INTOSAI, 2019.
https://www.issai.org/pronouncements/issai-140-quality-control-for-sais/
ISSAI 300 Performance Audit Principles, INTOSAI, 2019.
https://www.issai.org/pronouncements/issai-300-performance-audit-principles/
ISSAI 3000 Performance Audit Standard, INTOSAI, 2019. https://www.issai.org/wpcontent/uploads/2019/08/ISSAI-3000-Performance-Audit-Standard.pdf
Law No. 114/2015 on Internal Audit in the Public Sector, Republic of Albania Assembly,
2015. https://shtetiweb.org/wpcontent/uploads/2015/12/ligj_nr_114_dt_22_10_2015_24469_1.pdf
Law No. 154/2014 for the Organization and Functioning of the State High Control, Republic
of Albania, 2014. https://www.dap.gov.al/images/LegjislacioniAP/ligj_154_27.11.2014.pdf
63

Performance Audit ISSAI Implementation Handbook, IDI, 2021. https://www.idi.no/workstreams/professional-sais/work-stream-library/performance-audit-issai-implementationhandbook
Performance Auditing, KPMG, 2013.
https://assets.kpmg.com/content/dam/kpmg/pdf/2016/05/Performance-Auditing.pdf
Practice Guide: Unique Aspects of Internal Auditing in the Public Sector, The IIA, 2022.
https://www.theiia.org/en/content/guidance/recommended/supplemental/practiceguides/unique-aspects-of-internal-auditing-in-the-public-sector/
Rauum and Morgan, Performance Auditing: A Measurement Approach, The Internal Audit
Research Foundation, 2009.
The IIA’s Internal Audit Competency Framework, The IIA, 2022.
https://www.theiia.org/en/resources/internal-audit-competency-framework/
64

65

CIPFA: 77 Mansell Street, London E1 8AN
+44 20 7543 5600
cipfa.org
CEF: Cankarjeva cesta 18, 1000 Ljubljana, Slovenia
+386 1 369 61 90
cef-see.org
66