Module 4 - Introduction to Performance Audit_4A

Module 4: 

Introduction to 

Performance Audit 

TIAPS Albania 2023/24 

1

Table of Contents 

Module 4: Introduction to Performance Audit ........................................................................ 3 

Introduction ....................................................................................................................... 3 

Relevant Standards ........................................................................................................... 4 

Relevant Competencies .................................................................................................... 4 

References and Additional Reading .................................................................................. 5 

4A. Introduction to Performance Auditing (10%) .................................................................... 6 

4A. Learning Outcomes ..................................................................................................... 6 

4A.1 The Role of Performance Audits in the Public Sector .............................................. 6 

4A.2 Distinctive Features of Performance Auditing ........................................................ 12 

4A.3 Performance Auditing Supervision ........................................................................ 19 

4B. Planning a Performance Audit Engagement (40%) ....................................................... 24 

4B. Learning Outcomes ................................................................................................... 24 

4B.1 Performance Audits in the Audit Plan .................................................................... 24 

4B.2 Getting Started ...................................................................................................... 29 

Performance Audit Pre-Study ....................................................................................... 30 

4B.3 Audit Objectives .................................................................................................... 32 

Audit Questions............................................................................................................ 33 

4B.4 Audit Scope .......................................................................................................... 34 

4B.5 Methodology ......................................................................................................... 36 

4B.6 Audit Criteria ......................................................................................................... 39 

4C. Performing a Performance Audit Engagement (20%) ................................................... 43 

4C. Learning Outcomes ................................................................................................... 43 

4C.1 Auditing Economy, Effectiveness, and Efficiency .................................................. 43 

Measuring Economy, Effectiveness, and Efficiency ..................................................... 46 

4C.2 Audit Documentation ............................................................................................. 49 

4D. Communicating Performance Audit Engagement Results (30%) .................................. 53 

4D. Learning Outcomes ................................................................................................... 53 

4D.1 Performance Audit Report ..................................................................................... 53 

4D.2 Monitoring and Follow-Up ..................................................................................... 57 

Appendix 1: Extract from IIA Competency Framework ........................................................ 60 

References and Additional Reading .................................................................................... 63 

2

Module 4: Introduction to Performance Audit 

Introduction 

The TIAPS program has been developed for public sector internal auditors typically with 

three to five years of relevant experience, including those who are or who aspire to be in 

supervisory and managerial positions. It is suitable for those who are familiar with how to 

plan and perform internal audit services and communicate findings and insights. It aims to 

develop a deeper practical understanding of the contribution internal audit makes to 

organizational effectiveness and improvement as well as exploring how to coordinate and 

optimize internal audit resources and services. This includes building relationships with key 

stakeholders, developing a strategy for the internal audit function, managing people and 

other resources, enhancing quality and effectiveness through adoption of advanced 

practices, providing audit opinions, and supervising audit engagements. 

The TIAPS program comprises four modules: 

Module 1: Audit and Assurance 

Module 2: Good Governance, Managerial Accountability, Developing Strategy, and Data 

Analysis 

Module 3: Accounting Fundamentals 

Module 4: Introduction to Performance Audit 

Module 4: Introduction to Performance Audit describes the main characteristics of 

performance auditing as planned, conducted, and reported by the internal audit function. 

While there are many similarities with the performance audits of Supreme Audit Institutions, 

there are also important differences, not least the relevant professional standards, scope, 

and accountability. However, the purpose and approach of the auditing process are broadly 

similar. Guidance produced to help external auditors is also highly relevant for internal audit 

engagements. 

Performance auditing is also referred to as operational auditing or value for money auditing 

and by other terms and attempts to evaluate the economy, effectiveness, and efficiency of 

government activities, programs, and initiatives. Performance auditing serves the interests of 

two main groups: 

 

 

Organizational leaders, senior management, and those charged with governance by 

providing assurance and insight that may support continuous improvements. 

Wider stakeholders and the public by providing greater transparency and thus 

supporting accountability. 

The Module describes the processes involved in performance auditing from planning through 

to completion and reporting. It also considers the importance of performance auditing to the 

public sector. 

The module is organized as follows: 

4A. Introduction to Performance Auditing (10%) 

4A.1 The Role of Performance Audits in the Public Sector 

3

4A.2 Distinctive Features of Performance Auditing 

4A.3 Performance Auditing Supervision 

4B. Planning a Performance Audit Engagement (40%) 

4B.1 Performance Audits in the Audit Plan 

4B.2 Getting Started 

4B.3 Audit Objectives 

4B.4 Audit Scope 

4B.5 Audit Methodology 

4B.6 Audit Criteria 

4C. Performing a Performance Audit Engagement (20%) 

4C.1 Auditing Efficiency, Economy, and Effectiveness 

4C.2 Audit Documentation 

4D. Communicating Performance Audit Engagement Results (30%) 

4D.1 Performance Audit Report 

4D.2 Monitoring and Follow-Up 

References and Additional Reading 

Relevant Standards 

Reference is made throughout the TIAPS program to relevant international standards, 

principally those of The Institute of Internal Auditors (IIA) included in the International 

Professional Practices Framework (IPPF). Other standards and frameworks, most notably 

the COSO Internal Control – Integrated Framework and INTOSAI International Standards for 

Supreme Audit Institutions (ISSAI), are also noted where appropriate. 

The IIA launched the Global Internal Audit Standards January 9, 2024 to supersede the 

International Standards for the Professional Practice of Internal Auditing together with a 

significant restructuring of the IPPF. Internal audit functions are expected to implement the 

new standards by January 2025. The content of this Module reflects the 2017 edition of the 

IPPF (published in 2016 and effective from the start of 2017 until the end of 2024). 

Participants should familiarize themselves with the Global Internal Audit Standards, although 

fundamental principles about the practice of internal auditing have not changed 

substantively. Assessment for this program will not require students to be familiar with the 

new standards. 

Relevant Competencies 

Reference is made throughout the material to relevant competencies taken from the IIA’s 

Internal Audit Competency Framework. The purpose of including these statements, which 

describe competencies at three levels (General Awareness, Applied Knowledge, and 

Expert), is to remind students of the practical nature of this program. To develop 

4

competencies, knowledge acquired by reading, reflection, and experience needs to be 

applied to practical situations and supported by appropriate attitudes and values. Personal 

and professional development is a continuous process. 

The IIA’s Internal Audit Competency Framework is designed for all internal auditors, is based 

on global research, and represents recognized best practices. The statements are 

necessarily brief and much more detail and information is needed to substantiate and 

contextualize the content. The statements can be regarded as signposts to help internal 

auditors and their managers navigate their careers, identifying opportunities for ongoing 

advancement to remain competent and best able to meet or exceed the needs and 

expectations of their stakeholders. 

The INTOSAI competency framework is also referenced. 

References and Additional Reading 

References are given at the end of this module. Participants are encouraged to read these to 

provide greater understanding of the topics. The items have been selected to complement 

the content included in this module and to offer internal auditors relevant, practical guidance. 

5

4A. Introduction to Performance Auditing (10%) 

4A. Learning Outcomes 

On completion of this Module, students will be better able to: 

 

 

 

 

 

 

 

Define performance auditing as it is conducted in the public sector. 

Differentiate performance auditing from other types of audit engagements (notably 

financial and conformance). 

Differentiate between the performances audits of internal auditors and external 

auditors (especially those conducted by SAIs). 

Identify appropriate standards and competencies for performance auditing. 

Describe the importance of supervision in performance auditing. 

Describe the importance of materiality in performance auditing. 

Assess the importance of audit recommendations. 

4A.1 The Role of Performance Audits in the Public Sector 

Performance audits (also known as operational or value for money audits) are a distinctive 

feature of public sector auditing (although they can be applied to private sector organizations 

and activities). They are routinely conducted by both internal auditors and external auditors. 

Definition of Performance Auditing 

The Institute of Internal Auditors (IIA) offers a brief definition of performance auditing in 

Practice Guide: Unique Aspects of Internal Auditing in the Public Sector: 

Evaluations of achievement of agency/program stated outcomes to determine 

whether public funds have been used with economy, effectiveness, and efficiency, 

also known as operational or value-for-money auditing. 1 

For external auditors, performance audits are one of the three main types of engagements 

recognized by the International Organization of Supreme Audit Institutions (INTOSAI) (the 

other two being financial and compliance audits, with additional consideration given to 

jurisdictional audits). INTOSAI provides the following definition: 

Performance auditing carried out by SAIs [Supreme Audit Institutions] is an independent, 

objective, and reliable examination of whether government undertakings, systems, 

operations, programmes, activities, or organizations are operating in accordance with the 

principles of economy, efficiency, and effectiveness and whether there is room for 

improvement. 2 

(The three key terms economy, efficiency, and effectiveness are defined below.) This 

definition is equally applicable to performance auditing conducted by internal auditors, 

although different (but comparable) professional standards are used, and the scope of an 

internal audit engagement is limited to the entity (or entities) to which the auditors are 

accountable. The scope of SAIs, by contrast, in evaluating the use of public funds in respect 

of national priorities, is the entirety of the public sector, although many entities and their 

1 

Practice Guide: Unique Aspects of Internal Auditing in the Public Sector, The IIA, 2022. 

2 

ISSAI 3000 Performance Audit Standard, INTOSAI, 2019. 

6

activities, especially those of lower tier or local government, may be audited by other 

external providers according to legal and regulatory requirements. 

A definition specific to internal audit is offered as follows: 

Performance auditing is a technique used by internal auditors to evaluate the economy, 

efficiency, and effectiveness of the organisation’s operations so as to assure 

management that its strategic objectives are being carried out and whether or not they 

can be improved on. The scope of the audit is expanded beyond the verification of 

financial controls or compliance with policies as it looks for the existence of management 

measures such as leadership, employee empowerment, teamwork, risk assessment, 

management information, communication, resource allocation, productivity 

measurement, etc. Performance auditing therefore requires flexibility, imagination and 

analytical skills to provide organisations with innovative solutions and new ideas. 3 

Describing it as a “technique” is not intended to narrow what in reality embraces a 

framework, approach, and set of activities which are collectively applied to performance 

auditing. The potential scope of performance audits is constrained only by practicalities such 

as resources. In principle, auditors can focus their attention to where it is most needed 

depending on perceived priorities which may be subject to change over time to include 

topical issues such as sustainability, public health, and matters relating to access, diversity, 

equity and inclusion. 

In general terms, all audits can be classified under two broad headings: 

Verification auditing, where auditors validate information prepared by another party. 

Information development auditing, where auditors develop new information. 4 

In many cases, audit engagements include a combination of verification and information 

development. Compliance and financial audits belong to the former, performance audits to 

the latter. In practice, many performance audits include elements of compliance, financial, 

and IT audits as ways of evaluating performance (although the purpose is not to arrive at an 

opinion on the accuracy of financial statements). 

While the IPPF covers all internal audit services and makes no real distinction among types 

of audits, Standards 2120 (Risk Management) and 2130 (Control) direct internal auditors to 

make evaluations in the context of: 

Achievement of the organization’s strategic objectives. 

Reliability and integrity of financial and operational information. 

Effectiveness and efficiency of operations and programs. 

Safeguarding of assets. 

Compliance with laws, regulations, policies, procedures, and contracts. 5 

3 

Performing Auditing, KPMG, 2013. 

4 

See Rauum and Morgan, Performance Auditing: A Measurement Approach, The Internal 

Audit Research Foundation, 2009. 

5 

The International Professional Practices Framework, The IIA, 2016. 

7

The first and third of these aspects are consistent with the focus and purpose of 

performance auditing. However, performance auditing considers a broad range of subject 

matter and can contribute to all aspects of the mission of internal auditing. For example: 

 

 

 

Operational information relates closely to efficiency and effectiveness. 

Safeguarding of assets has a strong link with the principle of economy. 

Compliance with laws, regulations, policies, and other authorities is often a key 

consideration in performance auditing. 

The following table summarizes the main similarities and differences between the 

performance audits conducted by internal auditors and SAI external auditors. 

Primary 

Characteristics 

Relevant 

professional 

standards 

Relevant 

competencies 

Mandate 

Primary 

accountability 

Purpose of 

performance 

auditing 

Type of audit 

Scope 

Methodology 

Criteria 

Performance Auditing 

Internal Audit 

External Audit (SAI) 

Mandatory and recommended General and specific principles, 

elements of The IIA’s 

standards, and guidance of 

International Professional INTOSAI’s International 

Practices Framework (IPPF) Framework of Professional 

applicable to all audits. 

Pronouncements (IFPP) 

comprising principles (INTOSAI- 

P), standards (ISSAIs) and 

guidance (GUIDs). 

Defined by The IIA’s Internal 

Audit Competency Framework. 

Defined by INTOSAI’s 

Competency Framework for 

Public Sector Audit Professionals 

at Supreme Audit Institutions. 

Defined in the Internal Audit Defined in legislation. 

Charter and/or legislation. 

To the governing body and To parliament and the public. 

senior leadership of an individual 

entity or group of entities. 

To determine whether public funds have been used with economy, 

effectiveness, and efficiency, and identify opportunities for 

improvement. 

Assurance. 6 While performance audits are assurance engagements, 

auditors may be asked to provide advisory services. This is formally 

within the mandate of internal auditors and is increasingly regarded 

as part of the role of external auditors as well. 

Activities, programs, processes, 

and systems of an individual 

entity or group of entities. 

Determined by the auditor. 

Activities, programs, processes, 

systems, and entities across the 

public sector. 

Determined by the auditor, supported by standards, guidance, 

policies, manuals, and handbooks. 

Determined by the auditor, supported by standards, guidance, 

policies, manuals, and handbooks. 

6 

Referred to as a “direct reporting engagement” by external auditors as the topic, scope, 

objectives, and criteria are selected and defined by the auditor. 

8

Primary similarities and differences between performance audits of internal and external 

auditors 

For SAIs national standards may also apply or substitute for the ISSAIs. Other external audit 

providers will apply standards according to statutory requirements. 

Standards for Performance Auditing 

First and foremost, performance auditing is a form of auditing and therefore the general 

requirements for managing and executing all such engagements apply. 

Standards for Performance Auditing – External Audit 

For external auditors in the public sector, this means the INTOSAI Founding Principles 

(INTOSAI-P 1-99), Fundamental Principles (ISSAI 100-129), and Organizational 

Requirements (ISSAI 130-199) apply as they do for all external audits. In addition, specific 

standards for Performance Audit (ISSAI 300-399 and 3000-3899) also apply. ISSAI also 

provides supplementary guidance (GUID 3900-3999) to support implementation. 

Likewise, the “cross-cutting competencies” defined in the INTOSAI competency framework 

are applicable to all engagements and are arranged in five clusters: 

CC1: An audit professional leads by example. 

CC2: An audit professional engages effectively with stakeholders. 

CC3: An audit professional behaves in a professional manner. 

CC4: An audit professional contributes to the value and benefits of the SAI. 

CC5: Additional reflection for SAIs with Jurisdictional Responsibilities. 7 

There are also specific competencies defined for each major type of audit, including the 

following clusters for performance auditing: 

 

 

 

 

 

PAC1: An audit professional adds value by conducting ISSAI-compliant performance 

audits. 

PAC2: An audit professional demonstrates an understanding of context, 

environment, and entity in a performance audit. 

PAC3: An audit professional assesses and manages risk in a performance audit. 

PAC4: An audit professional performs and documents performance audit procedures 

as per ISSAIs. 

PAC5: An audit professional effectively communicates and follows up on 

performance audit results. 8 

Standards for Performance Auditing – Internal Audit 

The IIA does not provide separate standards for performance auditing and very limited 

official guidance. Practitioners need to adhere to The IIA’s International Practices 

Professional Framework (IPPF) applicable to all assurance and advisory engagements. This 

entails performance audits need to be consistent with the following: 

7 

Competency Framework for Public Sector Audit Professionals at Supreme Audit 

Institutions, INTOSAI, 2019. 

8 



9

The Definition of Internal Auditing. 

o Internal auditing is an independent, objective assurance and consulting 

activity designed to add value and improve an organization’s operations. It 

helps an organization accomplish its objectives by bringing a systematic, 

disciplined approach to evaluate and improve the effectiveness of risk 

management, control, and governance processes. 9 

The Mission of Internal Audit. 

o To enhance and protect organizational value by providing risk-based and 

objective assurance, advice, and insight. 10 

The Core Principles for the Professional Practice of Internal Auditing. 

o Demonstrates integrity. 

o Demonstrates competence and due professional care. 

o Is objective and free from undue influence (independent). 

o Aligns with the strategies, objectives, and risks of the organization. 

o Is appropriately positioned and adequately resourced. 

o Demonstrates quality and continuous improvement. 

o Communicates effectively. 

o Provides risk-based assurance. 

o Is insightful, proactive, and future-focused. 

o Promotes organizational improvement. 11 

The Code of Ethics. 

1. Integrity: The integrity of internal auditors establishes trust and thus provides 

the basis for reliance on their judgment. 

2. Objectivity: Internal auditors exhibit the highest level of professional 

objectivity in gathering, evaluating, and communicating information about the 

activity or process being examined. Internal auditors make a balanced 

assessment of all the relevant circumstances and are not unduly influenced 

by their own interests or by others in forming judgments. 

3. Confidentiality: Internal auditors respect the value and ownership of 

information they receive and do not disclose information without appropriate 

authority unless there is a legal or professional obligation to do so. 

4. Competency: Internal auditors apply the knowledge, skills, and experience 

needed in the performance of internal audit services. 12 

The International Standards for the Professional Practice of Internal Auditing. 

o Attribute Standards (1000-1322). 

o Performance Standards (2000-2600). 

Care should be taken to avoid confusion regarding the Performance Standards of the IPPF 

which “describe the nature of internal auditing and provide quality criteria against which the 

performance of these services can be measured,” applicable to all types of engagements. 13 

9 


10 


11 


12 


13 


10

Non-mandatory but recommended guidance (Implementation Guidance and Supplemental 

Guidance) is also useful where relevant. 14 While ISSAI standards and guidance are 

designed for SAIs, such content is often of great value to internal auditors as well. 

The IIA Competency Framework is organized in four knowledge areas: 

Professionalism. 

Performance. 

Environment. 

Leadership and Communication. 15 

All elements are relevant for performance auditing. Competencies taken from the 

performance knowledge area of particular interest for planning, performing, and reporting are 

included in Appendix 1. 

Performance Auditing Consistent with Mandate/Charter 

The types of audit engagements to be provided should be made clear by the legislation or 

charter defining the mandate of the internal or external audit provider. For example, the 

internal audit law of Albania includes direct reference to performance audits, as follows: 

Types of Internal Audit services 

Internal audit activity includes assurance and counselling services as follows: 

1. An audit engagement in assurance services includes a thorough assessment of 

the governance, risk management and control processes in a public sector unit 

through compliance audit, performance audit, financial audit, information 

technology audit and other types of auditing. 

2. An audit engagement in counselling services includes providing counselling and 

opinions aiming at adding value and improving risk management and control 

processes on which internal audit has no managerial responsibilities. An audit 

engagement in counselling services is initiated by the head of public entity. 16 

For the Supreme State Control of Albania, “audit” is defined to include “compliance auditing, 

financial auditing, performance audit, IT audit, as well as their combined audit” and has 

authority to conduct performance audits in any activity considered necessary. 17 

Internal and External Performance Auditing 

Internal auditors and external auditors have different mandates. However, both undertake 

performance audits. While standards may differ, they are comparable and compatible. In the 

absence of specific performance standards for internal auditing and detailed guidance, those 

designed for external auditors provide plenty of value for internal auditors. 

14 

For a list of IIA public sector guidance visit https://www.theiia.org/en/standards/what-arethe-standards/recommended-guidance/supplemental-guidance/. 

15 

The IIA’s Internal Audit Competency Framework, The IIA, 2022. 

16 

Law No. 114/2015 on Internal Audit in the Public Sector, Republic of Albania Assembly, 

2015. 

17 

Law No. 154/2014 for the Organization and Functioning of the State High Control, 

Republic of Albania, 2014. 

11

Given the similarities between the work of internal auditors and external auditors, it can be 

very useful for internal audit functions and SAIs to work together toward the shared goal of 

evaluating the economy, effectiveness, and efficiency of public sector practices at the policy, 

system, project, entity, or sector-wide level. Audit providers need to maintain their 

independence and remain free to plan and operate without interference. Auditors are 

responsible for the results of their audits even when they rely on the work of other assurance 

providers. However, there are opportunities for working together that do not impede these 

basic principles. Examples include: 

 

 

 

 

 

 

Discuss audit themes, trends, and priorities. 

Share details of audit plans with each other and consider adjusting plans to 

coordinate activities where possible to avoid bunching, excessive coverage, or audit 

fatigue as well as aligning on topics of joint concern. 

Share resources and expertise, with the potential for internal auditors to act as guest 

auditors or subject matter experts for an external audit and vice versa. 

Collaborate on audit training on topics of mutual interest. 

Use each other’s results when work is relevant, timely, and reliable. 

Advocate jointly with stakeholders and influential agents for the importance of 

assurance and advisory services that are competent, well-resourced, appropriately 

positioned, and independent. 

4A.1: Reflection 

Does your internal audit function provide performance audits? 

How close in approach and subject matter are the performance audits of internal auditors 

and external auditors? 

Is it important for internal and external auditors to communicate and coordinate activities 

regarding performance audits? 

In addition to the generic internal audit competencies included in The IIA’s Internal Audit 

Competency Framework, are there specific competencies – focusing on distinct knowledge, 

skills, and mindsets – needed for performing performance audits, and if so what are they? 

4A.2 Distinctive Features of Performance Auditing 

Performance audits start with two fundamental considerations: 

 

 

What performance is to be reviewed (i.e., what needs to be examined among public 

sector programs, activities, functions, and entities, and over what period)? 

What level of performance is expected, desired, or possible? 

Accordingly, auditors must be fully acquainted with performance management systems and 

how they are organized. These are generally aligned with program budgeting and budgetary 

control, although performance is not to be considered purely in financial terms. The auditor 

must also be familiar with planning and review cycles and how these are used by 

management to regulate and monitor activity. 

12

The IPPF does not prescribe specific sequential steps an internal auditor must follow when 

completing an engagement. The mechanics of such audits follow the usual processes 

related to planning, performing, and communication and in accordance with the relevant 

standards. As for all engagements, prior to planning a performance audit, a decision is made 

to include it in the audit plan, including the area of focus or topic (although this is refined as 

part of the audit preparation when the scope and objectives are more fully developed). 

Inclusion of performance audits in the internal audit plan and consideration of topics are 

covered in section 4B.1. 

The processes adopted for a performance audit may be defined in the audit manual with 

supporting documentation. Many auditors (both internal and external) follow an approach 

akin to the illustration below (based on Performance Audit ISSAI Implementation 

Handbook). 18 

Step 1 

•Select audit 

topic 

Step 2 

•Design audit 

Step 3 

•Conduct audit 

Step 4 

•Develop audit 

outputs 

Step 5 

•Communicate 

audit outputs 

Step 6 

•Follow up 

Performance Audit Process: Overview 

In this context, “audit outputs” refers to findings, conclusions, and recommendations. 

The following internal and external audit standards are especially relevant to these six steps: 

Step 1 

IIA 

Select audit topic 

2010 – Planning 

2100 – Nature of Work 

ISSAI Three Parties in Performance Auditing 300/16-18 

Subject Matter and Criteria in Performance Auditing 300/19-20 

18 

See Performance Audit ISSAI Implementation Handbook, IDI, 2021. 

13

Step 2 

IIA 

Confidence and Assurance in Performance Auditing 300/21-23 

Design audit 

2200 – Engagement Planning 

2201 – Planning Considerations 

2210 – Engagement Objectives 

2220 – Engagement Scope 

2230 – Engagement Resource Allocation 

2240 – Engagement Work Program 

ISSAI Subject Matter 3000/29-31 

Selecting the Topic 3000/89-95 

Audit Objective 300/25, 3000/35-39 

Audit Approach 300/26, 3000/40-44 

Criteria 300/27, 3000/45-51 

Audit Risk 300/28, 3000/52-54 

Planning 300/36 

Designing the Audit 300/37, 3000/96-105 

Step 3 

IIA 

Conduct audit 

2300 – Performing the Engagement 

2310 – Identifying Information 

ISSAI Conducting 3000/106-115 

Step 4 Develop audit outputs (findings, conclusions, recommendations) 

IIA 2320 – Analysis and Evaluation 

2330 – Documenting Information 

ISSAI Evidence, Findings, and Conclusions 300/38 

Professional Judgment and Skepticism 300/31, 3000/68-78 

Documentation 300/34, 3000/86-88 

Step 5 

IIA 

Communicate audit outputs (findings, conclusions, recommendations) 

2400 – Communicating Results 

2419 – Criteria for Communicating 

2420 – Quality of Communications 

2421 – Errors and Omissions 

2430 – Use of “Conducted in Conformance with the International Standards for the 

Professional Practice of Internal Auditing” 

2431 – Engagement Disclosure of Nonconformance 

2440 – Disseminating Results 

2450 – Overall Opinions 

ISSAI Communication 300/29, 3000/55-62 

Quality Control 300/32, 3000/79-82 

Content of the Report 300/39 

Reporting 3000/116-135 

Recommendations 300/40 

Distribution of the report 300/41 

Step 6 

IIA 

Follow-up 

2500 – Monitoring Progress 

2600 – Communicating the Acceptance of Risk 

ISSAI Follow-Up 300/42, 3000/136-141 

Internal Audit (IIA) and External Audit (ISSAI) Standards Relevant to Performance Auditing 

Engagement supervision (IIA Standard 2340, ISSAI Standard 3000/66-67) is an important 

aspect for quality control throughout the engagement and is covered in section 4A.3. 

14

In describing performance auditing, it is common to refer to the three Es: 

 

 

 

Economy. 

Effectiveness. 

Efficiency. 

While the three Es remain the core focus of performance auditing, consideration can be 

extended to cover the following: 

 

 

 

Environment. 

Equity. 

Ethics. 

The six Es are illustrated in the graphic below. 

Efficiency 

Environment 

Effectiveness 

Equity 

Economy 

Six Es of 

Performance 

Auditing 

Ethics 

The Six Es of Performance Auditing 

The first three are defined in ISSAI 300: 

Economy is minimizing costs of resources used in performing an activity. The resources 

used should be available in due time, in and of appropriate quantity and quality and at 

the best price. 

Efficiency is getting the most from available resources. It is concerned with the 

relationship between resources employed (the inputs) and outputs delivered in terms of 

quantity, quality, and timing. 

Effectiveness is meeting the objectives set and achieving the intended results. 19 

19 

ISSAI 300 Performance Audit Principles, INTOSAI, 2019. 

15

To appreciate these distinctions, it is important to recognize the relationships among 

purpose, inputs, activities (or processes), outputs, outcomes, and impacts. When 

considering performance of any kind one may ask: 

Purpose: what are the objectives (i.e., intended outputs, outcomes, and impacts) of 

the project? 

Inputs: what resources are required to enable the project? 

Activities (or processes): what does the project do? 

Outputs: what does the project produce? 

Outcomes: what does the project achieve? 

Impacts: how does the project contribute to high level strategic goals? 20 

For example, a program of vaccination may be considered as follows: 

 

 

 

 

 

 

Purpose: to reduce the occurrence and spread of disease. 

Inputs: medical professionals, vaccines, equipment, facilities, and other resources. 

Activities (or processes): promotional campaigns, administration, coordination of 

patients, medical professionals, and medical facilities. 

Outputs: targeted levels of vaccination. 

Outcomes: targeted levels of reduced incidence of disease. 

Impacts: long-term social benefits related to a healthier and more productive 

population. 

Economy relates to the use of inputs. Efficiency relates to the way in which inputs are used 

to achieve outputs. Effectiveness is a measure of performance relating actual outputs, 

outcomes, and impacts to intended results (as defined in the objectives) as well as desirable 

or potential results (based on other criteria). 

These relationships are illustrated in the graphic below. 

Relationship Among Economy, Efficiency, and Effectiveness 21 

In evaluating the three Es, performance auditing usually involves consideration of related 

dimensions, such as results (outputs, outcomes, and impacts), timeliness, and quality. 

20 

See Indicators of Inputs, Activities, Outputs, Outcomes and Impacts in Security and 

Justice Programming, Department of International Development, 2013. 

21 

Based on Figure 1, Performance Audit ISSAI Implementation Handbook, IDI, 2021. 

16

The other Es are used to illustrate the importance of: 

 

 

 

Understanding the internal and external context of the performance audit 

(environment). 

The fundamental objectives of economic and social well-being, inclusion, 

participation, access, and security (equity). 

Integrity as a pre-requisite for a robust control environment (ethics). 

This is reflected in the external auditor competency PAC2: “An audit professional 

demonstrates an understanding of context, environment, and entity in a performance 

audit.” 22 This competency overlaps with the requirement to exercise due professional care. 

Standard 1220 – Due Professional Care 

Internal auditors must apply the care and skill expected of a reasonably prudent and 

competent internal auditor. Due professional care does not imply infallibility. 

1220.A1 Internal auditors must exercise due professional care by considering the: 

Extent of work needed to achieve the engagement’s objectives. 

Relative complexity, materiality, or significance of matters to which assurance 

procedures are applied. 

Adequacy and effectiveness of governance, risk management, and control 

processes. 

Probability of significant errors, fraud, or noncompliance. 

Cost of assurance in relation to potential benefits. 23 

This further heightens the importance of materiality and audit risk at all stages in the audit 

process. 

Materiality 

The amount of consideration an auditor should give to any feature related to performance 

depends on its materiality to the engagement. Materiality is both a quantitative and a 

qualitative matter. When determining if something is material, it is not simply a question of 

making a measurement, and an auditor must always apply professional judgment. While 

materiality is about significance, it is not defined solely by the absolute value of an item. 

Much depends on the specific context. 

The key to a judgment about materiality is consideration of the impact on the intended users 

of the results and the report. This applies to judgments about the potential effect on the 

subsequent decisions made by the reader of the inclusion, exclusion, and/or misstatement of 

an item. This means the auditor must consider the needs of the intended users of the report 

as well as other stakeholders. Numerical value must be considered alongside factors such 

as frequency of occurrence, potential consequences, impact on other matters, public 

interest, political sensitivity, regulatory requirements, and cumulative impact of multiple 

occurrences. 

22 



23 


17

Materiality is relevant for all audits, not just performance audits, although the focus for 

financial auditing is primarily numerical. It is also an issue to consider throughout the audit 

process, and may influence scoping, planning, evaluation, and reporting. 

For the internal auditor, the ethical principle of objectivity requires one to “disclose all 

material facts known to them that, if not disclosed, may distort the reporting of activities 

under review.” 24 Materiality is also relevant to the exercise of due professional care requiring 

auditors to consider “relative complexity, materiality, or significance of matters to which 

assurance procedures are applied.” 25 

For external auditors, there is greater direction regarding materiality. According to ISSAIs 

300 and 3000: 

33) Auditors should consider materiality at all stages of the audit process. Thought 

should be given not only to financial but also to social and political aspects of the 

subject matter, with the aim of delivering as much added value as possible. 26 

83) The auditor shall consider materiality at all stages of the audit process, including 

the financial, social and political aspects of the subject matter with the goal of 

delivering as much added value as possible. 27 

Audit Risk 

As a goal-oriented activity, auditing is subject to risk. Circumstances relating to people, 

resources, processes, and events may impact an audit, including its accuracy, timeliness, 

relevance, and impact on the recipients of the report. Controls for audit risk include 

appropriate auditor training, internal audit policies, careful planning, supervision, and 

adherence to standards and methodologies. 

More specifically, the term “audit risk” is used to refer to the potential an auditor (usually in 

the context of external audit) may issue an incorrect opinion. It is considered in relation to 

financial audits but is useful to take into account for all engagements, including performance 

engagements. There are inherent risks in making judgments. An auditor must rely on their 

ability to summarize and evaluate, and necessarily makes assumptions about information 

gathered and used. Control risks may arise when organizational processes are used to 

identify material misstatements in reports used by the auditor. 

ISSAIs 300 and 3000 guide auditors in respect of audit risks as follows: 

28) Auditors should actively manage audit risk, which is the risk of obtaining incorrect 

or incomplete conclusions, providing unbalanced information or failing to add 

value for users. 28 

24 

Rules of Conduct: Objectivity 2.3, The International Professional Practices Framework, 

The IIA, 2016. 

25 

1220 Due Professional Care, The International Professional Practices Framework, The 

IIA, 2016. 

26 


27 


28 


18

52) The auditor shall actively manage audit risk to avoid the development of incorrect 

or incomplete audit findings, conclusions, and recommendations, providing 

unbalanced information or failing to add value. 29 


How is the decision made to include a performance audit in the internal audit plan? 

Do audit clients understand the difference between performance audits and other kinds of 

engagements? 

The IIA provides no additional standards for performance audits and limited guidance. Are 

the steps and processes for conducting performance audits defined for you in audit policies, 

manuals, and handbooks? 

4A.3 Performance Auditing Supervision 

Supervision is a prerequisite for all audit engagements for the purposes of quality control. 

Supervision also serves to improve the efficiency of the audit process. For internal auditing, 

supervision is a key part of ongoing monitoring within internal assessments which are key to 

the quality assurance and improvement program. 

Ongoing monitoring is an integral part of the day-to-day supervision, review, and 

measurement of the internal audit activity. Ongoing monitoring is incorporated into 

the routine policies and practices used to manage the internal audit activity and uses 

processes, tools, and information considered necessary to evaluate conformance 

with the Code of Ethics and the Standards. 30 

The requirements for audit supervision are included in both IIA and ISSAI standards. 

2340 – Engagement Supervision 

Engagements must be properly supervised to ensure objectives are achieved, quality 

is assured, and staff is developed. 

Interpretation: 

The extent of supervision required will depend on the proficiency and experience of 

internal auditors and the complexity of the engagement. The chief audit executive 

has overall responsibility for supervising the engagement, whether performed by or 

for the internal audit activity, but may designate appropriately experienced members 

of the internal audit activity to perform the review. Appropriate evidence of 

supervision is documented and retained. 31 

29 


30 

Standard 1311 – Internal Assessments, The International Professional Practices 

Framework, The IIA, 2016. 

31 


19

Supervision 

66) The SAI shall ensure that the work of the audit staff at each level and audit phase 

is properly supervised during the audit process. 

67) Audit supervision involves providing sufficient guidance and direction to the audit 

team assigned to the audit. The auditor who supervises the audit would be 

expected to have competence and knowledge in audit methodologies; planning 

and monitoring work; project management; strategic thinking; foresight and 

problem solving. The level of supervision provided by the auditor may vary 

depending upon the proficiency and experience of the audit team and the 

complexity of the subject matter of the audit. 32 

It should be noted that a team member designated to supervise an engagement should not 

have responsibilities for that engagement to avoid a conflict of interest. This presents 

practical difficulties in small audit teams. 

There are two aspects to supervision: 

 

 

Overseeing individuals. 

Overseeing their work. 

The supervisor assigns tasks, confirms expectations, monitors performance, provides 

feedback and encouragement, intervenes where necessary, directs, advises, and coaches, 

offers on-the-job training, and acknowledges and celebrates achievements. Supervisors also 

provide feedback to higher levels of authority, up to the head of internal audit or the SAI. 

The engagement plan provides a suitable framework within which the supervisor guides and 

supports auditors. The supervisory work may begin with assisting with the development of 

the plan which thereafter informs not only the performance of the audit but also the 

discharge of supervision. The engagement plan will typically identify the key tasks to be 

completed, including the following: 

 

 

 

 

 

 

 

 

Guiding the survey phase to obtain knowledge to formulate objectives. 

Formulating clear audit objectives that set forth what the audit is expected to 

accomplish. 

Coordinating with other auditors when appropriate, including work that is planned or 

already completed. 

Selecting a valid and sound scope and methodology for accomplishing the objectives 

and obtaining sufficient data without wasting resources in acquiring unneeded data. 

Establishing the type and amount of resources and staff skills and knowledge, and 

the use of any consultants and experts. 

Segmenting the work where necessary to clearly identify responsibility of assigned 

staff. 

Identifying audit criteria, when criteria is to be applied in the audit. 

Selecting a strategy and approach for communicating audit results to users timely 

and effectively. 

32 


20

Choosing quality assurance steps that will ensure adherence with applicable auditing 

standards, including those for evidence to support audit findings. 33 

The supervisor also has an important role in determining the staff resources needed for the 

engagement to ensure the right capacity and quality of skills and expertise are available. 

The number, frequency, and nature of review meetings held by the supervisor with the 

auditor or auditors should be decided based on need. Factors would include the level of 

experience of the auditor, the length and complexity of the audit, and personal preferences 

of both parties. Meetings should be structured by focusing on the audit plan, have a clear 

purpose, and result in agreed actions that are recorded and shared. 

Other Aspects of Quality Control 

Quality is essential for the integrity of the audit provider. As referenced above, the role of 

supervision plays a key role in quality assurance and is described by the IPPF as part of a 

comprehensive quality assurance and improvement program (QAIP). Audit policies and 

procedures should be designed to promote quality, conformance with the Standards, and 

continuous improvement. Regular internal and external review of the QAIP is needed to 

ensure it is working. The head of the internal audit function is required to keep the governing 

body advised on matters relating to QAIP and conformance. 

ISSAI 140 Quality Control for SAIs identifies six elements required for quality assurance and 

control, as summarized in the graphic below. 

Acceptance and 

continuance 

Human 

resources 

Ethical 

requirements 

Performance 

Leadership 

responsibilities 

Framework 

of Quality 

Control 

Monitoring 

These principles are defined as follows: 

Six Elements of SAI’s System of Quality Control 34 

 

Leadership responsibilities: An SAI should establish policies and procedures 

designed to promote an internal culture recognising that quality is essential in 

33 

Rauum and Morgan, Performance Auditing: A Measurement Approach, the Internal Audit 

Research Foundation, 2009. 

34 

As defined in ISSAI 140 Quality Control for SAIs, INTOSAI, 2019. 

21

performing all of its work. Such policies and procedures should be set by the Head of 

the SAI, who retains overall responsibility for the system of quality control. 

Ethical requirements: An SAI should establish policies and procedures designed to 

provide it with reasonable assurance that the SAI, including all personnel and any 

parties contracted to carry out work for the SAI, comply with relevant ethical 

requirements. 

Acceptance and continuance: An SAI should establish policies and procedures 

designed to provide the SAI with reasonable assurance that it will only carry out 

audits and other work where the SAI: 

a) is competent to perform the work and has the capabilities, including time and 

resources, to do so; 

b) can comply with relevant ethical requirements; and 

c) has considered the integrity of the organisation being audited and has considered 

how to treat the risk to quality that arises. The policies and procedures should 

reflect the range of work carried out by each SAI. In many cases SAls have little 

discretion about the work they carry out. SAIs carry out work in three broad 

categories: 

o Work that is required of them by their mandate and statute and which they 

have no option but to carry out; 

o Work that is required by their mandate, but where they have discretion as to 

the timing, scope and/or nature of work; 

o Work that they can choose to carry out. 

Human resources: The SAI shall establish policies and procedures designed to 

provide it with reasonable assurance that it has sufficient personnel with the 

competence, capabilities and commitment to ethical principles necessary to: 

a) perform engagements in accordance with professional standards and applicable 

legal and regulatory requirements; and 

b) enable the firm or engagement partners to issue reports that are appropriate in 

the circumstances. 

Performance: The SAI shall establish policies and procedures designed to provide it 

with reasonable assurance that engagements are performed in accordance with 

professional standards and applicable legal and regulatory requirements, and that 

the firm or the engagement partner issue reports that are appropriate in the 

circumstances. Such policies and procedures shall include: 

a) matters relevant to promoting consistency in the quality of engagement 

performance; 

b) supervision responsibilities; 

c) and review responsibilities. 

Monitoring: The SAI shall establish a monitoring process designed to provide it with 

reasonable assurance that the policies and procedures relating to the system of 

quality control are relevant, adequate and operating effectively. This process shall: 

a) include an ongoing consideration and evaluation of the firm’s system of quality 

control including, on a cyclical basis, inspection of at least one completed 

engagement for each engagement partner; 

b) require responsibility for the monitoring process to be assigned to a partner or 

partners or other persons with sufficient and appropriate experience and authority 

in the firm to assume that responsibility; and 

22

c) require that those performing the engagement or the engagement quality control 

review are not involved in inspecting the engagements. 35 


What qualities does a good supervisor need to have? 

What training do your auditors receive to help them become effective supervisors? 

How should supervisors determine the number of individuals and the expertise needed for 

a performance audit? 

What is the best way to manage progress meetings as a supervisor? 

What is the best way to prepare for a progress meeting with your supervisor as an auditor 

on an engagement? 

35 

ISSAI 140 Quality Control for SAIs, INTOSAI, 2019. 

23

Module 4 - Introduction to Performance Audit_4A

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?