You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Module</strong> 4:<br />
<strong>Introduction</strong> <strong>to</strong><br />
<strong>Performance</strong> <strong>Audit</strong><br />
TIAPS Albania 2023/24<br />
1
Table of Contents<br />
<strong>Module</strong> 4: <strong>Introduction</strong> <strong>to</strong> <strong>Performance</strong> <strong>Audit</strong> ........................................................................ 3<br />
<strong>Introduction</strong> ....................................................................................................................... 3<br />
Relevant Standards ........................................................................................................... 4<br />
Relevant Competencies .................................................................................................... 4<br />
References and Additional Reading .................................................................................. 5<br />
<strong>4A</strong>. <strong>Introduction</strong> <strong>to</strong> <strong>Performance</strong> <strong>Audit</strong>ing (10%) .................................................................... 6<br />
<strong>4A</strong>. Learning Outcomes ..................................................................................................... 6<br />
<strong>4A</strong>.1 The Role of <strong>Performance</strong> <strong>Audit</strong>s in the Public Sec<strong>to</strong>r .............................................. 6<br />
<strong>4A</strong>.2 Distinctive Features of <strong>Performance</strong> <strong>Audit</strong>ing ........................................................ 12<br />
<strong>4A</strong>.3 <strong>Performance</strong> <strong>Audit</strong>ing Supervision ........................................................................ 19<br />
4B. Planning a <strong>Performance</strong> <strong>Audit</strong> Engagement (40%) ....................................................... 24<br />
4B. Learning Outcomes ................................................................................................... 24<br />
4B.1 <strong>Performance</strong> <strong>Audit</strong>s in the <strong>Audit</strong> Plan .................................................................... 24<br />
4B.2 Getting Started ...................................................................................................... 29<br />
<strong>Performance</strong> <strong>Audit</strong> Pre-Study ....................................................................................... 30<br />
4B.3 <strong>Audit</strong> Objectives .................................................................................................... 32<br />
<strong>Audit</strong> Questions............................................................................................................ 33<br />
4B.4 <strong>Audit</strong> Scope .......................................................................................................... 34<br />
4B.5 Methodology ......................................................................................................... 36<br />
4B.6 <strong>Audit</strong> Criteria ......................................................................................................... 39<br />
4C. Performing a <strong>Performance</strong> <strong>Audit</strong> Engagement (20%) ................................................... 43<br />
4C. Learning Outcomes ................................................................................................... 43<br />
4C.1 <strong>Audit</strong>ing Economy, Effectiveness, and Efficiency .................................................. 43<br />
Measuring Economy, Effectiveness, and Efficiency ..................................................... 46<br />
4C.2 <strong>Audit</strong> Documentation ............................................................................................. 49<br />
4D. Communicating <strong>Performance</strong> <strong>Audit</strong> Engagement Results (30%) .................................. 53<br />
4D. Learning Outcomes ................................................................................................... 53<br />
4D.1 <strong>Performance</strong> <strong>Audit</strong> Report ..................................................................................... 53<br />
4D.2 Moni<strong>to</strong>ring and Follow-Up ..................................................................................... 57<br />
Appendix 1: Extract from IIA Competency Framework ........................................................ 60<br />
References and Additional Reading .................................................................................... 63<br />
2
<strong>Module</strong> 4: <strong>Introduction</strong> <strong>to</strong> <strong>Performance</strong> <strong>Audit</strong><br />
<strong>Introduction</strong><br />
The TIAPS program has been developed for public sec<strong>to</strong>r internal audi<strong>to</strong>rs typically with<br />
three <strong>to</strong> five years of relevant experience, including those who are or who aspire <strong>to</strong> be in<br />
supervisory and managerial positions. It is suitable for those who are familiar with how <strong>to</strong><br />
plan and perform internal audit services and communicate findings and insights. It aims <strong>to</strong><br />
develop a deeper practical understanding of the contribution internal audit makes <strong>to</strong><br />
organizational effectiveness and improvement as well as exploring how <strong>to</strong> coordinate and<br />
optimize internal audit resources and services. This includes building relationships with key<br />
stakeholders, developing a strategy for the internal audit function, managing people and<br />
other resources, enhancing quality and effectiveness through adoption of advanced<br />
practices, providing audit opinions, and supervising audit engagements.<br />
The TIAPS program comprises four modules:<br />
<strong>Module</strong> 1: <strong>Audit</strong> and Assurance<br />
<strong>Module</strong> 2: Good Governance, Managerial Accountability, Developing Strategy, and Data<br />
Analysis<br />
<strong>Module</strong> 3: Accounting Fundamentals<br />
<strong>Module</strong> 4: <strong>Introduction</strong> <strong>to</strong> <strong>Performance</strong> <strong>Audit</strong><br />
<strong>Module</strong> 4: <strong>Introduction</strong> <strong>to</strong> <strong>Performance</strong> <strong>Audit</strong> describes the main characteristics of<br />
performance auditing as planned, conducted, and reported by the internal audit function.<br />
While there are many similarities with the performance audits of Supreme <strong>Audit</strong> Institutions,<br />
there are also important differences, not least the relevant professional standards, scope,<br />
and accountability. However, the purpose and approach of the auditing process are broadly<br />
similar. Guidance produced <strong>to</strong> help external audi<strong>to</strong>rs is also highly relevant for internal audit<br />
engagements.<br />
<strong>Performance</strong> auditing is also referred <strong>to</strong> as operational auditing or value for money auditing<br />
and by other terms and attempts <strong>to</strong> evaluate the economy, effectiveness, and efficiency of<br />
government activities, programs, and initiatives. <strong>Performance</strong> auditing serves the interests of<br />
two main groups:<br />
<br />
<br />
Organizational leaders, senior management, and those charged with governance by<br />
providing assurance and insight that may support continuous improvements.<br />
Wider stakeholders and the public by providing greater transparency and thus<br />
supporting accountability.<br />
The <strong>Module</strong> describes the processes involved in performance auditing from planning through<br />
<strong>to</strong> completion and reporting. It also considers the importance of performance auditing <strong>to</strong> the<br />
public sec<strong>to</strong>r.<br />
The module is organized as follows:<br />
<strong>4A</strong>. <strong>Introduction</strong> <strong>to</strong> <strong>Performance</strong> <strong>Audit</strong>ing (10%)<br />
<strong>4A</strong>.1 The Role of <strong>Performance</strong> <strong>Audit</strong>s in the Public Sec<strong>to</strong>r<br />
3
<strong>4A</strong>.2 Distinctive Features of <strong>Performance</strong> <strong>Audit</strong>ing<br />
<strong>4A</strong>.3 <strong>Performance</strong> <strong>Audit</strong>ing Supervision<br />
4B. Planning a <strong>Performance</strong> <strong>Audit</strong> Engagement (40%)<br />
4B.1 <strong>Performance</strong> <strong>Audit</strong>s in the <strong>Audit</strong> Plan<br />
4B.2 Getting Started<br />
4B.3 <strong>Audit</strong> Objectives<br />
4B.4 <strong>Audit</strong> Scope<br />
4B.5 <strong>Audit</strong> Methodology<br />
4B.6 <strong>Audit</strong> Criteria<br />
4C. Performing a <strong>Performance</strong> <strong>Audit</strong> Engagement (20%)<br />
4C.1 <strong>Audit</strong>ing Efficiency, Economy, and Effectiveness<br />
4C.2 <strong>Audit</strong> Documentation<br />
4D. Communicating <strong>Performance</strong> <strong>Audit</strong> Engagement Results (30%)<br />
4D.1 <strong>Performance</strong> <strong>Audit</strong> Report<br />
4D.2 Moni<strong>to</strong>ring and Follow-Up<br />
References and Additional Reading<br />
Relevant Standards<br />
Reference is made throughout the TIAPS program <strong>to</strong> relevant international standards,<br />
principally those of The Institute of Internal Audi<strong>to</strong>rs (IIA) included in the International<br />
Professional Practices Framework (IPPF). Other standards and frameworks, most notably<br />
the COSO Internal Control – Integrated Framework and INTOSAI International Standards for<br />
Supreme <strong>Audit</strong> Institutions (ISSAI), are also noted where appropriate.<br />
The IIA launched the Global Internal <strong>Audit</strong> Standards January 9, 2024 <strong>to</strong> supersede the<br />
International Standards for the Professional Practice of Internal <strong>Audit</strong>ing <strong>to</strong>gether with a<br />
significant restructuring of the IPPF. Internal audit functions are expected <strong>to</strong> implement the<br />
new standards by January 2025. The content of this <strong>Module</strong> reflects the 2017 edition of the<br />
IPPF (published in 2016 and effective from the start of 2017 until the end of 2024).<br />
Participants should familiarize themselves with the Global Internal <strong>Audit</strong> Standards, although<br />
fundamental principles about the practice of internal auditing have not changed<br />
substantively. Assessment for this program will not require students <strong>to</strong> be familiar with the<br />
new standards.<br />
Relevant Competencies<br />
Reference is made throughout the material <strong>to</strong> relevant competencies taken from the IIA’s<br />
Internal <strong>Audit</strong> Competency Framework. The purpose of including these statements, which<br />
describe competencies at three levels (General Awareness, Applied Knowledge, and<br />
Expert), is <strong>to</strong> remind students of the practical nature of this program. To develop<br />
4
competencies, knowledge acquired by reading, reflection, and experience needs <strong>to</strong> be<br />
applied <strong>to</strong> practical situations and supported by appropriate attitudes and values. Personal<br />
and professional development is a continuous process.<br />
The IIA’s Internal <strong>Audit</strong> Competency Framework is designed for all internal audi<strong>to</strong>rs, is based<br />
on global research, and represents recognized best practices. The statements are<br />
necessarily brief and much more detail and information is needed <strong>to</strong> substantiate and<br />
contextualize the content. The statements can be regarded as signposts <strong>to</strong> help internal<br />
audi<strong>to</strong>rs and their managers navigate their careers, identifying opportunities for ongoing<br />
advancement <strong>to</strong> remain competent and best able <strong>to</strong> meet or exceed the needs and<br />
expectations of their stakeholders.<br />
The INTOSAI competency framework is also referenced.<br />
References and Additional Reading<br />
References are given at the end of this module. Participants are encouraged <strong>to</strong> read these <strong>to</strong><br />
provide greater understanding of the <strong>to</strong>pics. The items have been selected <strong>to</strong> complement<br />
the content included in this module and <strong>to</strong> offer internal audi<strong>to</strong>rs relevant, practical guidance.<br />
5
<strong>4A</strong>. <strong>Introduction</strong> <strong>to</strong> <strong>Performance</strong> <strong>Audit</strong>ing (10%)<br />
<strong>4A</strong>. Learning Outcomes<br />
On completion of this <strong>Module</strong>, students will be better able <strong>to</strong>:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Define performance auditing as it is conducted in the public sec<strong>to</strong>r.<br />
Differentiate performance auditing from other types of audit engagements (notably<br />
financial and conformance).<br />
Differentiate between the performances audits of internal audi<strong>to</strong>rs and external<br />
audi<strong>to</strong>rs (especially those conducted by SAIs).<br />
Identify appropriate standards and competencies for performance auditing.<br />
Describe the importance of supervision in performance auditing.<br />
Describe the importance of materiality in performance auditing.<br />
Assess the importance of audit recommendations.<br />
<strong>4A</strong>.1 The Role of <strong>Performance</strong> <strong>Audit</strong>s in the Public Sec<strong>to</strong>r<br />
<strong>Performance</strong> audits (also known as operational or value for money audits) are a distinctive<br />
feature of public sec<strong>to</strong>r auditing (although they can be applied <strong>to</strong> private sec<strong>to</strong>r organizations<br />
and activities). They are routinely conducted by both internal audi<strong>to</strong>rs and external audi<strong>to</strong>rs.<br />
Definition of <strong>Performance</strong> <strong>Audit</strong>ing<br />
The Institute of Internal Audi<strong>to</strong>rs (IIA) offers a brief definition of performance auditing in<br />
Practice Guide: Unique Aspects of Internal <strong>Audit</strong>ing in the Public Sec<strong>to</strong>r:<br />
Evaluations of achievement of agency/program stated outcomes <strong>to</strong> determine<br />
whether public funds have been used with economy, effectiveness, and efficiency,<br />
also known as operational or value-for-money auditing. 1<br />
For external audi<strong>to</strong>rs, performance audits are one of the three main types of engagements<br />
recognized by the International Organization of Supreme <strong>Audit</strong> Institutions (INTOSAI) (the<br />
other two being financial and compliance audits, with additional consideration given <strong>to</strong><br />
jurisdictional audits). INTOSAI provides the following definition:<br />
<strong>Performance</strong> auditing carried out by SAIs [Supreme <strong>Audit</strong> Institutions] is an independent,<br />
objective, and reliable examination of whether government undertakings, systems,<br />
operations, programmes, activities, or organizations are operating in accordance with the<br />
principles of economy, efficiency, and effectiveness and whether there is room for<br />
improvement. 2<br />
(The three key terms economy, efficiency, and effectiveness are defined below.) This<br />
definition is equally applicable <strong>to</strong> performance auditing conducted by internal audi<strong>to</strong>rs,<br />
although different (but comparable) professional standards are used, and the scope of an<br />
internal audit engagement is limited <strong>to</strong> the entity (or entities) <strong>to</strong> which the audi<strong>to</strong>rs are<br />
accountable. The scope of SAIs, by contrast, in evaluating the use of public funds in respect<br />
of national priorities, is the entirety of the public sec<strong>to</strong>r, although many entities and their<br />
1<br />
Practice Guide: Unique Aspects of Internal <strong>Audit</strong>ing in the Public Sec<strong>to</strong>r, The IIA, 2022.<br />
2<br />
ISSAI 3000 <strong>Performance</strong> <strong>Audit</strong> Standard, INTOSAI, 2019.<br />
6
activities, especially those of lower tier or local government, may be audited by other<br />
external providers according <strong>to</strong> legal and regula<strong>to</strong>ry requirements.<br />
A definition specific <strong>to</strong> internal audit is offered as follows:<br />
<strong>Performance</strong> auditing is a technique used by internal audi<strong>to</strong>rs <strong>to</strong> evaluate the economy,<br />
efficiency, and effectiveness of the organisation’s operations so as <strong>to</strong> assure<br />
management that its strategic objectives are being carried out and whether or not they<br />
can be improved on. The scope of the audit is expanded beyond the verification of<br />
financial controls or compliance with policies as it looks for the existence of management<br />
measures such as leadership, employee empowerment, teamwork, risk assessment,<br />
management information, communication, resource allocation, productivity<br />
measurement, etc. <strong>Performance</strong> auditing therefore requires flexibility, imagination and<br />
analytical skills <strong>to</strong> provide organisations with innovative solutions and new ideas. 3<br />
Describing it as a “technique” is not intended <strong>to</strong> narrow what in reality embraces a<br />
framework, approach, and set of activities which are collectively applied <strong>to</strong> performance<br />
auditing. The potential scope of performance audits is constrained only by practicalities such<br />
as resources. In principle, audi<strong>to</strong>rs can focus their attention <strong>to</strong> where it is most needed<br />
depending on perceived priorities which may be subject <strong>to</strong> change over time <strong>to</strong> include<br />
<strong>to</strong>pical issues such as sustainability, public health, and matters relating <strong>to</strong> access, diversity,<br />
equity and inclusion.<br />
In general terms, all audits can be classified under two broad headings:<br />
Verification auditing, where audi<strong>to</strong>rs validate information prepared by another party.<br />
Information development auditing, where audi<strong>to</strong>rs develop new information. 4<br />
In many cases, audit engagements include a combination of verification and information<br />
development. Compliance and financial audits belong <strong>to</strong> the former, performance audits <strong>to</strong><br />
the latter. In practice, many performance audits include elements of compliance, financial,<br />
and IT audits as ways of evaluating performance (although the purpose is not <strong>to</strong> arrive at an<br />
opinion on the accuracy of financial statements).<br />
While the IPPF covers all internal audit services and makes no real distinction among types<br />
of audits, Standards 2120 (Risk Management) and 2130 (Control) direct internal audi<strong>to</strong>rs <strong>to</strong><br />
make evaluations in the context of:<br />
Achievement of the organization’s strategic objectives.<br />
Reliability and integrity of financial and operational information.<br />
Effectiveness and efficiency of operations and programs.<br />
Safeguarding of assets.<br />
Compliance with laws, regulations, policies, procedures, and contracts. 5<br />
3<br />
Performing <strong>Audit</strong>ing, KPMG, 2013.<br />
4<br />
See Rauum and Morgan, <strong>Performance</strong> <strong>Audit</strong>ing: A Measurement Approach, The Internal<br />
<strong>Audit</strong> Research Foundation, 2009.<br />
5<br />
The International Professional Practices Framework, The IIA, 2016.<br />
7
The first and third of these aspects are consistent with the focus and purpose of<br />
performance auditing. However, performance auditing considers a broad range of subject<br />
matter and can contribute <strong>to</strong> all aspects of the mission of internal auditing. For example:<br />
<br />
<br />
<br />
Operational information relates closely <strong>to</strong> efficiency and effectiveness.<br />
Safeguarding of assets has a strong link with the principle of economy.<br />
Compliance with laws, regulations, policies, and other authorities is often a key<br />
consideration in performance auditing.<br />
The following table summarizes the main similarities and differences between the<br />
performance audits conducted by internal audi<strong>to</strong>rs and SAI external audi<strong>to</strong>rs.<br />
Primary<br />
Characteristics<br />
Relevant<br />
professional<br />
standards<br />
Relevant<br />
competencies<br />
Mandate<br />
Primary<br />
accountability<br />
Purpose of<br />
performance<br />
auditing<br />
Type of audit<br />
Scope<br />
Methodology<br />
Criteria<br />
<strong>Performance</strong> <strong>Audit</strong>ing<br />
Internal <strong>Audit</strong><br />
External <strong>Audit</strong> (SAI)<br />
Manda<strong>to</strong>ry and recommended General and specific principles,<br />
elements of The IIA’s<br />
standards, and guidance of<br />
International Professional INTOSAI’s International<br />
Practices Framework (IPPF) Framework of Professional<br />
applicable <strong>to</strong> all audits.<br />
Pronouncements (IFPP)<br />
comprising principles (INTOSAI-<br />
P), standards (ISSAIs) and<br />
guidance (GUIDs).<br />
Defined by The IIA’s Internal<br />
<strong>Audit</strong> Competency Framework.<br />
Defined by INTOSAI’s<br />
Competency Framework for<br />
Public Sec<strong>to</strong>r <strong>Audit</strong> Professionals<br />
at Supreme <strong>Audit</strong> Institutions.<br />
Defined in the Internal <strong>Audit</strong> Defined in legislation.<br />
Charter and/or legislation.<br />
To the governing body and To parliament and the public.<br />
senior leadership of an individual<br />
entity or group of entities.<br />
To determine whether public funds have been used with economy,<br />
effectiveness, and efficiency, and identify opportunities for<br />
improvement.<br />
Assurance. 6 While performance audits are assurance engagements,<br />
audi<strong>to</strong>rs may be asked <strong>to</strong> provide advisory services. This is formally<br />
within the mandate of internal audi<strong>to</strong>rs and is increasingly regarded<br />
as part of the role of external audi<strong>to</strong>rs as well.<br />
Activities, programs, processes,<br />
and systems of an individual<br />
entity or group of entities.<br />
Determined by the audi<strong>to</strong>r.<br />
Activities, programs, processes,<br />
systems, and entities across the<br />
public sec<strong>to</strong>r.<br />
Determined by the audi<strong>to</strong>r, supported by standards, guidance,<br />
policies, manuals, and handbooks.<br />
Determined by the audi<strong>to</strong>r, supported by standards, guidance,<br />
policies, manuals, and handbooks.<br />
6<br />
Referred <strong>to</strong> as a “direct reporting engagement” by external audi<strong>to</strong>rs as the <strong>to</strong>pic, scope,<br />
objectives, and criteria are selected and defined by the audi<strong>to</strong>r.<br />
8
Primary similarities and differences between performance audits of internal and external<br />
audi<strong>to</strong>rs<br />
For SAIs national standards may also apply or substitute for the ISSAIs. Other external audit<br />
providers will apply standards according <strong>to</strong> statu<strong>to</strong>ry requirements.<br />
Standards for <strong>Performance</strong> <strong>Audit</strong>ing<br />
First and foremost, performance auditing is a form of auditing and therefore the general<br />
requirements for managing and executing all such engagements apply.<br />
Standards for <strong>Performance</strong> <strong>Audit</strong>ing – External <strong>Audit</strong><br />
For external audi<strong>to</strong>rs in the public sec<strong>to</strong>r, this means the INTOSAI Founding Principles<br />
(INTOSAI-P 1-99), Fundamental Principles (ISSAI 100-129), and Organizational<br />
Requirements (ISSAI 130-199) apply as they do for all external audits. In addition, specific<br />
standards for <strong>Performance</strong> <strong>Audit</strong> (ISSAI 300-399 and 3000-3899) also apply. ISSAI also<br />
provides supplementary guidance (GUID 3900-3999) <strong>to</strong> support implementation.<br />
Likewise, the “cross-cutting competencies” defined in the INTOSAI competency framework<br />
are applicable <strong>to</strong> all engagements and are arranged in five clusters:<br />
CC1: An audit professional leads by example.<br />
CC2: An audit professional engages effectively with stakeholders.<br />
CC3: An audit professional behaves in a professional manner.<br />
CC4: An audit professional contributes <strong>to</strong> the value and benefits of the SAI.<br />
CC5: Additional reflection for SAIs with Jurisdictional Responsibilities. 7<br />
There are also specific competencies defined for each major type of audit, including the<br />
following clusters for performance auditing:<br />
<br />
<br />
<br />
<br />
<br />
PAC1: An audit professional adds value by conducting ISSAI-compliant performance<br />
audits.<br />
PAC2: An audit professional demonstrates an understanding of context,<br />
environment, and entity in a performance audit.<br />
PAC3: An audit professional assesses and manages risk in a performance audit.<br />
PAC4: An audit professional performs and documents performance audit procedures<br />
as per ISSAIs.<br />
PAC5: An audit professional effectively communicates and follows up on<br />
performance audit results. 8<br />
Standards for <strong>Performance</strong> <strong>Audit</strong>ing – Internal <strong>Audit</strong><br />
The IIA does not provide separate standards for performance auditing and very limited<br />
official guidance. Practitioners need <strong>to</strong> adhere <strong>to</strong> The IIA’s International Practices<br />
Professional Framework (IPPF) applicable <strong>to</strong> all assurance and advisory engagements. This<br />
entails performance audits need <strong>to</strong> be consistent with the following:<br />
7<br />
Competency Framework for Public Sec<strong>to</strong>r <strong>Audit</strong> Professionals at Supreme <strong>Audit</strong><br />
Institutions, INTOSAI, 2019.<br />
8<br />
Competency Framework for Public Sec<strong>to</strong>r <strong>Audit</strong> Professionals at Supreme <strong>Audit</strong><br />
Institutions, INTOSAI, 2019.<br />
9
The Definition of Internal <strong>Audit</strong>ing.<br />
o Internal auditing is an independent, objective assurance and consulting<br />
activity designed <strong>to</strong> add value and improve an organization’s operations. It<br />
helps an organization accomplish its objectives by bringing a systematic,<br />
disciplined approach <strong>to</strong> evaluate and improve the effectiveness of risk<br />
management, control, and governance processes. 9<br />
The Mission of Internal <strong>Audit</strong>.<br />
o To enhance and protect organizational value by providing risk-based and<br />
objective assurance, advice, and insight. 10<br />
The Core Principles for the Professional Practice of Internal <strong>Audit</strong>ing.<br />
o Demonstrates integrity.<br />
o Demonstrates competence and due professional care.<br />
o Is objective and free from undue influence (independent).<br />
o Aligns with the strategies, objectives, and risks of the organization.<br />
o Is appropriately positioned and adequately resourced.<br />
o Demonstrates quality and continuous improvement.<br />
o Communicates effectively.<br />
o Provides risk-based assurance.<br />
o Is insightful, proactive, and future-focused.<br />
o Promotes organizational improvement. 11<br />
The Code of Ethics.<br />
1. Integrity: The integrity of internal audi<strong>to</strong>rs establishes trust and thus provides<br />
the basis for reliance on their judgment.<br />
2. Objectivity: Internal audi<strong>to</strong>rs exhibit the highest level of professional<br />
objectivity in gathering, evaluating, and communicating information about the<br />
activity or process being examined. Internal audi<strong>to</strong>rs make a balanced<br />
assessment of all the relevant circumstances and are not unduly influenced<br />
by their own interests or by others in forming judgments.<br />
3. Confidentiality: Internal audi<strong>to</strong>rs respect the value and ownership of<br />
information they receive and do not disclose information without appropriate<br />
authority unless there is a legal or professional obligation <strong>to</strong> do so.<br />
4. Competency: Internal audi<strong>to</strong>rs apply the knowledge, skills, and experience<br />
needed in the performance of internal audit services. 12<br />
The International Standards for the Professional Practice of Internal <strong>Audit</strong>ing.<br />
o Attribute Standards (1000-1322).<br />
o <strong>Performance</strong> Standards (2000-2600).<br />
Care should be taken <strong>to</strong> avoid confusion regarding the <strong>Performance</strong> Standards of the IPPF<br />
which “describe the nature of internal auditing and provide quality criteria against which the<br />
performance of these services can be measured,” applicable <strong>to</strong> all types of engagements. 13<br />
9<br />
The International Professional Practices Framework, The IIA, 2016.<br />
10<br />
The International Professional Practices Framework, The IIA, 2016.<br />
11<br />
The International Professional Practices Framework, The IIA, 2016.<br />
12<br />
The International Professional Practices Framework, The IIA, 2016.<br />
13<br />
The International Professional Practices Framework, The IIA, 2016.<br />
10
Non-manda<strong>to</strong>ry but recommended guidance (Implementation Guidance and Supplemental<br />
Guidance) is also useful where relevant. 14 While ISSAI standards and guidance are<br />
designed for SAIs, such content is often of great value <strong>to</strong> internal audi<strong>to</strong>rs as well.<br />
The IIA Competency Framework is organized in four knowledge areas:<br />
Professionalism.<br />
<strong>Performance</strong>.<br />
Environment.<br />
Leadership and Communication. 15<br />
All elements are relevant for performance auditing. Competencies taken from the<br />
performance knowledge area of particular interest for planning, performing, and reporting are<br />
included in Appendix 1.<br />
<strong>Performance</strong> <strong>Audit</strong>ing Consistent with Mandate/Charter<br />
The types of audit engagements <strong>to</strong> be provided should be made clear by the legislation or<br />
charter defining the mandate of the internal or external audit provider. For example, the<br />
internal audit law of Albania includes direct reference <strong>to</strong> performance audits, as follows:<br />
Types of Internal <strong>Audit</strong> services<br />
Internal audit activity includes assurance and counselling services as follows:<br />
1. An audit engagement in assurance services includes a thorough assessment of<br />
the governance, risk management and control processes in a public sec<strong>to</strong>r unit<br />
through compliance audit, performance audit, financial audit, information<br />
technology audit and other types of auditing.<br />
2. An audit engagement in counselling services includes providing counselling and<br />
opinions aiming at adding value and improving risk management and control<br />
processes on which internal audit has no managerial responsibilities. An audit<br />
engagement in counselling services is initiated by the head of public entity. 16<br />
For the Supreme State Control of Albania, “audit” is defined <strong>to</strong> include “compliance auditing,<br />
financial auditing, performance audit, IT audit, as well as their combined audit” and has<br />
authority <strong>to</strong> conduct performance audits in any activity considered necessary. 17<br />
Internal and External <strong>Performance</strong> <strong>Audit</strong>ing<br />
Internal audi<strong>to</strong>rs and external audi<strong>to</strong>rs have different mandates. However, both undertake<br />
performance audits. While standards may differ, they are comparable and compatible. In the<br />
absence of specific performance standards for internal auditing and detailed guidance, those<br />
designed for external audi<strong>to</strong>rs provide plenty of value for internal audi<strong>to</strong>rs.<br />
14<br />
For a list of IIA public sec<strong>to</strong>r guidance visit https://www.theiia.org/en/standards/what-arethe-standards/recommended-guidance/supplemental-guidance/.<br />
15<br />
The IIA’s Internal <strong>Audit</strong> Competency Framework, The IIA, 2022.<br />
16<br />
Law No. 114/2015 on Internal <strong>Audit</strong> in the Public Sec<strong>to</strong>r, Republic of Albania Assembly,<br />
2015.<br />
17<br />
Law No. 154/2014 for the Organization and Functioning of the State High Control,<br />
Republic of Albania, 2014.<br />
11
Given the similarities between the work of internal audi<strong>to</strong>rs and external audi<strong>to</strong>rs, it can be<br />
very useful for internal audit functions and SAIs <strong>to</strong> work <strong>to</strong>gether <strong>to</strong>ward the shared goal of<br />
evaluating the economy, effectiveness, and efficiency of public sec<strong>to</strong>r practices at the policy,<br />
system, project, entity, or sec<strong>to</strong>r-wide level. <strong>Audit</strong> providers need <strong>to</strong> maintain their<br />
independence and remain free <strong>to</strong> plan and operate without interference. Audi<strong>to</strong>rs are<br />
responsible for the results of their audits even when they rely on the work of other assurance<br />
providers. However, there are opportunities for working <strong>to</strong>gether that do not impede these<br />
basic principles. Examples include:<br />
<br />
<br />
<br />
<br />
<br />
<br />
Discuss audit themes, trends, and priorities.<br />
Share details of audit plans with each other and consider adjusting plans <strong>to</strong><br />
coordinate activities where possible <strong>to</strong> avoid bunching, excessive coverage, or audit<br />
fatigue as well as aligning on <strong>to</strong>pics of joint concern.<br />
Share resources and expertise, with the potential for internal audi<strong>to</strong>rs <strong>to</strong> act as guest<br />
audi<strong>to</strong>rs or subject matter experts for an external audit and vice versa.<br />
Collaborate on audit training on <strong>to</strong>pics of mutual interest.<br />
Use each other’s results when work is relevant, timely, and reliable.<br />
Advocate jointly with stakeholders and influential agents for the importance of<br />
assurance and advisory services that are competent, well-resourced, appropriately<br />
positioned, and independent.<br />
<strong>4A</strong>.1: Reflection<br />
Does your internal audit function provide performance audits?<br />
How close in approach and subject matter are the performance audits of internal audi<strong>to</strong>rs<br />
and external audi<strong>to</strong>rs?<br />
Is it important for internal and external audi<strong>to</strong>rs <strong>to</strong> communicate and coordinate activities<br />
regarding performance audits?<br />
In addition <strong>to</strong> the generic internal audit competencies included in The IIA’s Internal <strong>Audit</strong><br />
Competency Framework, are there specific competencies – focusing on distinct knowledge,<br />
skills, and mindsets – needed for performing performance audits, and if so what are they?<br />
<strong>4A</strong>.2 Distinctive Features of <strong>Performance</strong> <strong>Audit</strong>ing<br />
<strong>Performance</strong> audits start with two fundamental considerations:<br />
<br />
<br />
What performance is <strong>to</strong> be reviewed (i.e., what needs <strong>to</strong> be examined among public<br />
sec<strong>to</strong>r programs, activities, functions, and entities, and over what period)?<br />
What level of performance is expected, desired, or possible?<br />
Accordingly, audi<strong>to</strong>rs must be fully acquainted with performance management systems and<br />
how they are organized. These are generally aligned with program budgeting and budgetary<br />
control, although performance is not <strong>to</strong> be considered purely in financial terms. The audi<strong>to</strong>r<br />
must also be familiar with planning and review cycles and how these are used by<br />
management <strong>to</strong> regulate and moni<strong>to</strong>r activity.<br />
12
The IPPF does not prescribe specific sequential steps an internal audi<strong>to</strong>r must follow when<br />
completing an engagement. The mechanics of such audits follow the usual processes<br />
related <strong>to</strong> planning, performing, and communication and in accordance with the relevant<br />
standards. As for all engagements, prior <strong>to</strong> planning a performance audit, a decision is made<br />
<strong>to</strong> include it in the audit plan, including the area of focus or <strong>to</strong>pic (although this is refined as<br />
part of the audit preparation when the scope and objectives are more fully developed).<br />
Inclusion of performance audits in the internal audit plan and consideration of <strong>to</strong>pics are<br />
covered in section 4B.1.<br />
The processes adopted for a performance audit may be defined in the audit manual with<br />
supporting documentation. Many audi<strong>to</strong>rs (both internal and external) follow an approach<br />
akin <strong>to</strong> the illustration below (based on <strong>Performance</strong> <strong>Audit</strong> ISSAI Implementation<br />
Handbook). 18<br />
Step 1<br />
•Select audit<br />
<strong>to</strong>pic<br />
Step 2<br />
•Design audit<br />
Step 3<br />
•Conduct audit<br />
Step 4<br />
•Develop audit<br />
outputs<br />
Step 5<br />
•Communicate<br />
audit outputs<br />
Step 6<br />
•Follow up<br />
<strong>Performance</strong> <strong>Audit</strong> Process: Overview<br />
In this context, “audit outputs” refers <strong>to</strong> findings, conclusions, and recommendations.<br />
The following internal and external audit standards are especially relevant <strong>to</strong> these six steps:<br />
Step 1<br />
IIA<br />
Select audit <strong>to</strong>pic<br />
2010 – Planning<br />
2100 – Nature of Work<br />
ISSAI Three Parties in <strong>Performance</strong> <strong>Audit</strong>ing 300/16-18<br />
Subject Matter and Criteria in <strong>Performance</strong> <strong>Audit</strong>ing 300/19-20<br />
18<br />
See <strong>Performance</strong> <strong>Audit</strong> ISSAI Implementation Handbook, IDI, 2021.<br />
13
Step 2<br />
IIA<br />
Confidence and Assurance in <strong>Performance</strong> <strong>Audit</strong>ing 300/21-23<br />
Design audit<br />
2200 – Engagement Planning<br />
2201 – Planning Considerations<br />
2210 – Engagement Objectives<br />
2220 – Engagement Scope<br />
2230 – Engagement Resource Allocation<br />
2240 – Engagement Work Program<br />
ISSAI Subject Matter 3000/29-31<br />
Selecting the Topic 3000/89-95<br />
<strong>Audit</strong> Objective 300/25, 3000/35-39<br />
<strong>Audit</strong> Approach 300/26, 3000/40-44<br />
Criteria 300/27, 3000/45-51<br />
<strong>Audit</strong> Risk 300/28, 3000/52-54<br />
Planning 300/36<br />
Designing the <strong>Audit</strong> 300/37, 3000/96-105<br />
Step 3<br />
IIA<br />
Conduct audit<br />
2300 – Performing the Engagement<br />
2310 – Identifying Information<br />
ISSAI Conducting 3000/106-115<br />
Step 4 Develop audit outputs (findings, conclusions, recommendations)<br />
IIA 2320 – Analysis and Evaluation<br />
2330 – Documenting Information<br />
ISSAI Evidence, Findings, and Conclusions 300/38<br />
Professional Judgment and Skepticism 300/31, 3000/68-78<br />
Documentation 300/34, 3000/86-88<br />
Step 5<br />
IIA<br />
Communicate audit outputs (findings, conclusions, recommendations)<br />
2400 – Communicating Results<br />
2419 – Criteria for Communicating<br />
2420 – Quality of Communications<br />
2421 – Errors and Omissions<br />
2430 – Use of “Conducted in Conformance with the International Standards for the<br />
Professional Practice of Internal <strong>Audit</strong>ing”<br />
2431 – Engagement Disclosure of Nonconformance<br />
2440 – Disseminating Results<br />
2450 – Overall Opinions<br />
ISSAI Communication 300/29, 3000/55-62<br />
Quality Control 300/32, 3000/79-82<br />
Content of the Report 300/39<br />
Reporting 3000/116-135<br />
Recommendations 300/40<br />
Distribution of the report 300/41<br />
Step 6<br />
IIA<br />
Follow-up<br />
2500 – Moni<strong>to</strong>ring Progress<br />
2600 – Communicating the Acceptance of Risk<br />
ISSAI Follow-Up 300/42, 3000/136-141<br />
Internal <strong>Audit</strong> (IIA) and External <strong>Audit</strong> (ISSAI) Standards Relevant <strong>to</strong> <strong>Performance</strong> <strong>Audit</strong>ing<br />
Engagement supervision (IIA Standard 2340, ISSAI Standard 3000/66-67) is an important<br />
aspect for quality control throughout the engagement and is covered in section <strong>4A</strong>.3.<br />
14
In describing performance auditing, it is common <strong>to</strong> refer <strong>to</strong> the three Es:<br />
<br />
<br />
<br />
Economy.<br />
Effectiveness.<br />
Efficiency.<br />
While the three Es remain the core focus of performance auditing, consideration can be<br />
extended <strong>to</strong> cover the following:<br />
<br />
<br />
<br />
Environment.<br />
Equity.<br />
Ethics.<br />
The six Es are illustrated in the graphic below.<br />
Efficiency<br />
Environment<br />
Effectiveness<br />
Equity<br />
Economy<br />
Six Es of<br />
<strong>Performance</strong><br />
<strong>Audit</strong>ing<br />
Ethics<br />
The Six Es of <strong>Performance</strong> <strong>Audit</strong>ing<br />
The first three are defined in ISSAI 300:<br />
Economy is minimizing costs of resources used in performing an activity. The resources<br />
used should be available in due time, in and of appropriate quantity and quality and at<br />
the best price.<br />
Efficiency is getting the most from available resources. It is concerned with the<br />
relationship between resources employed (the inputs) and outputs delivered in terms of<br />
quantity, quality, and timing.<br />
Effectiveness is meeting the objectives set and achieving the intended results. 19<br />
19<br />
ISSAI 300 <strong>Performance</strong> <strong>Audit</strong> Principles, INTOSAI, 2019.<br />
15
To appreciate these distinctions, it is important <strong>to</strong> recognize the relationships among<br />
purpose, inputs, activities (or processes), outputs, outcomes, and impacts. When<br />
considering performance of any kind one may ask:<br />
Purpose: what are the objectives (i.e., intended outputs, outcomes, and impacts) of<br />
the project?<br />
Inputs: what resources are required <strong>to</strong> enable the project?<br />
Activities (or processes): what does the project do?<br />
Outputs: what does the project produce?<br />
Outcomes: what does the project achieve?<br />
Impacts: how does the project contribute <strong>to</strong> high level strategic goals? 20<br />
For example, a program of vaccination may be considered as follows:<br />
<br />
<br />
<br />
<br />
<br />
<br />
Purpose: <strong>to</strong> reduce the occurrence and spread of disease.<br />
Inputs: medical professionals, vaccines, equipment, facilities, and other resources.<br />
Activities (or processes): promotional campaigns, administration, coordination of<br />
patients, medical professionals, and medical facilities.<br />
Outputs: targeted levels of vaccination.<br />
Outcomes: targeted levels of reduced incidence of disease.<br />
Impacts: long-term social benefits related <strong>to</strong> a healthier and more productive<br />
population.<br />
Economy relates <strong>to</strong> the use of inputs. Efficiency relates <strong>to</strong> the way in which inputs are used<br />
<strong>to</strong> achieve outputs. Effectiveness is a measure of performance relating actual outputs,<br />
outcomes, and impacts <strong>to</strong> intended results (as defined in the objectives) as well as desirable<br />
or potential results (based on other criteria).<br />
These relationships are illustrated in the graphic below.<br />
Relationship Among Economy, Efficiency, and Effectiveness 21<br />
In evaluating the three Es, performance auditing usually involves consideration of related<br />
dimensions, such as results (outputs, outcomes, and impacts), timeliness, and quality.<br />
20<br />
See Indica<strong>to</strong>rs of Inputs, Activities, Outputs, Outcomes and Impacts in Security and<br />
Justice Programming, Department of International Development, 2013.<br />
21<br />
Based on Figure 1, <strong>Performance</strong> <strong>Audit</strong> ISSAI Implementation Handbook, IDI, 2021.<br />
16
The other Es are used <strong>to</strong> illustrate the importance of:<br />
<br />
<br />
<br />
Understanding the internal and external context of the performance audit<br />
(environment).<br />
The fundamental objectives of economic and social well-being, inclusion,<br />
participation, access, and security (equity).<br />
Integrity as a pre-requisite for a robust control environment (ethics).<br />
This is reflected in the external audi<strong>to</strong>r competency PAC2: “An audit professional<br />
demonstrates an understanding of context, environment, and entity in a performance<br />
audit.” 22 This competency overlaps with the requirement <strong>to</strong> exercise due professional care.<br />
Standard 1220 – Due Professional Care<br />
Internal audi<strong>to</strong>rs must apply the care and skill expected of a reasonably prudent and<br />
competent internal audi<strong>to</strong>r. Due professional care does not imply infallibility.<br />
1220.A1 Internal audi<strong>to</strong>rs must exercise due professional care by considering the:<br />
Extent of work needed <strong>to</strong> achieve the engagement’s objectives.<br />
Relative complexity, materiality, or significance of matters <strong>to</strong> which assurance<br />
procedures are applied.<br />
Adequacy and effectiveness of governance, risk management, and control<br />
processes.<br />
Probability of significant errors, fraud, or noncompliance.<br />
Cost of assurance in relation <strong>to</strong> potential benefits. 23<br />
This further heightens the importance of materiality and audit risk at all stages in the audit<br />
process.<br />
Materiality<br />
The amount of consideration an audi<strong>to</strong>r should give <strong>to</strong> any feature related <strong>to</strong> performance<br />
depends on its materiality <strong>to</strong> the engagement. Materiality is both a quantitative and a<br />
qualitative matter. When determining if something is material, it is not simply a question of<br />
making a measurement, and an audi<strong>to</strong>r must always apply professional judgment. While<br />
materiality is about significance, it is not defined solely by the absolute value of an item.<br />
Much depends on the specific context.<br />
The key <strong>to</strong> a judgment about materiality is consideration of the impact on the intended users<br />
of the results and the report. This applies <strong>to</strong> judgments about the potential effect on the<br />
subsequent decisions made by the reader of the inclusion, exclusion, and/or misstatement of<br />
an item. This means the audi<strong>to</strong>r must consider the needs of the intended users of the report<br />
as well as other stakeholders. Numerical value must be considered alongside fac<strong>to</strong>rs such<br />
as frequency of occurrence, potential consequences, impact on other matters, public<br />
interest, political sensitivity, regula<strong>to</strong>ry requirements, and cumulative impact of multiple<br />
occurrences.<br />
22<br />
Competency Framework for Public Sec<strong>to</strong>r <strong>Audit</strong> Professionals at Supreme <strong>Audit</strong><br />
Institutions, INTOSAI, 2019.<br />
23<br />
The International Professional Practices Framework, The IIA, 2016.<br />
17
Materiality is relevant for all audits, not just performance audits, although the focus for<br />
financial auditing is primarily numerical. It is also an issue <strong>to</strong> consider throughout the audit<br />
process, and may influence scoping, planning, evaluation, and reporting.<br />
For the internal audi<strong>to</strong>r, the ethical principle of objectivity requires one <strong>to</strong> “disclose all<br />
material facts known <strong>to</strong> them that, if not disclosed, may dis<strong>to</strong>rt the reporting of activities<br />
under review.” 24 Materiality is also relevant <strong>to</strong> the exercise of due professional care requiring<br />
audi<strong>to</strong>rs <strong>to</strong> consider “relative complexity, materiality, or significance of matters <strong>to</strong> which<br />
assurance procedures are applied.” 25<br />
For external audi<strong>to</strong>rs, there is greater direction regarding materiality. According <strong>to</strong> ISSAIs<br />
300 and 3000:<br />
33) Audi<strong>to</strong>rs should consider materiality at all stages of the audit process. Thought<br />
should be given not only <strong>to</strong> financial but also <strong>to</strong> social and political aspects of the<br />
subject matter, with the aim of delivering as much added value as possible. 26<br />
83) The audi<strong>to</strong>r shall consider materiality at all stages of the audit process, including<br />
the financial, social and political aspects of the subject matter with the goal of<br />
delivering as much added value as possible. 27<br />
<strong>Audit</strong> Risk<br />
As a goal-oriented activity, auditing is subject <strong>to</strong> risk. Circumstances relating <strong>to</strong> people,<br />
resources, processes, and events may impact an audit, including its accuracy, timeliness,<br />
relevance, and impact on the recipients of the report. Controls for audit risk include<br />
appropriate audi<strong>to</strong>r training, internal audit policies, careful planning, supervision, and<br />
adherence <strong>to</strong> standards and methodologies.<br />
More specifically, the term “audit risk” is used <strong>to</strong> refer <strong>to</strong> the potential an audi<strong>to</strong>r (usually in<br />
the context of external audit) may issue an incorrect opinion. It is considered in relation <strong>to</strong><br />
financial audits but is useful <strong>to</strong> take in<strong>to</strong> account for all engagements, including performance<br />
engagements. There are inherent risks in making judgments. An audi<strong>to</strong>r must rely on their<br />
ability <strong>to</strong> summarize and evaluate, and necessarily makes assumptions about information<br />
gathered and used. Control risks may arise when organizational processes are used <strong>to</strong><br />
identify material misstatements in reports used by the audi<strong>to</strong>r.<br />
ISSAIs 300 and 3000 guide audi<strong>to</strong>rs in respect of audit risks as follows:<br />
28) Audi<strong>to</strong>rs should actively manage audit risk, which is the risk of obtaining incorrect<br />
or incomplete conclusions, providing unbalanced information or failing <strong>to</strong> add<br />
value for users. 28<br />
24<br />
Rules of Conduct: Objectivity 2.3, The International Professional Practices Framework,<br />
The IIA, 2016.<br />
25<br />
1220 Due Professional Care, The International Professional Practices Framework, The<br />
IIA, 2016.<br />
26<br />
ISSAI 300 <strong>Performance</strong> <strong>Audit</strong> Principles, INTOSAI, 2019.<br />
27<br />
ISSAI 3000 <strong>Performance</strong> <strong>Audit</strong> Standard, INTOSAI, 2019.<br />
28<br />
ISSAI 300 <strong>Performance</strong> <strong>Audit</strong> Principles, INTOSAI, 2019.<br />
18
52) The audi<strong>to</strong>r shall actively manage audit risk <strong>to</strong> avoid the development of incorrect<br />
or incomplete audit findings, conclusions, and recommendations, providing<br />
unbalanced information or failing <strong>to</strong> add value. 29<br />
<strong>4A</strong>.2: Reflection<br />
How is the decision made <strong>to</strong> include a performance audit in the internal audit plan?<br />
Do audit clients understand the difference between performance audits and other kinds of<br />
engagements?<br />
The IIA provides no additional standards for performance audits and limited guidance. Are<br />
the steps and processes for conducting performance audits defined for you in audit policies,<br />
manuals, and handbooks?<br />
<strong>4A</strong>.3 <strong>Performance</strong> <strong>Audit</strong>ing Supervision<br />
Supervision is a prerequisite for all audit engagements for the purposes of quality control.<br />
Supervision also serves <strong>to</strong> improve the efficiency of the audit process. For internal auditing,<br />
supervision is a key part of ongoing moni<strong>to</strong>ring within internal assessments which are key <strong>to</strong><br />
the quality assurance and improvement program.<br />
Ongoing moni<strong>to</strong>ring is an integral part of the day-<strong>to</strong>-day supervision, review, and<br />
measurement of the internal audit activity. Ongoing moni<strong>to</strong>ring is incorporated in<strong>to</strong><br />
the routine policies and practices used <strong>to</strong> manage the internal audit activity and uses<br />
processes, <strong>to</strong>ols, and information considered necessary <strong>to</strong> evaluate conformance<br />
with the Code of Ethics and the Standards. 30<br />
The requirements for audit supervision are included in both IIA and ISSAI standards.<br />
2340 – Engagement Supervision<br />
Engagements must be properly supervised <strong>to</strong> ensure objectives are achieved, quality<br />
is assured, and staff is developed.<br />
Interpretation:<br />
The extent of supervision required will depend on the proficiency and experience of<br />
internal audi<strong>to</strong>rs and the complexity of the engagement. The chief audit executive<br />
has overall responsibility for supervising the engagement, whether performed by or<br />
for the internal audit activity, but may designate appropriately experienced members<br />
of the internal audit activity <strong>to</strong> perform the review. Appropriate evidence of<br />
supervision is documented and retained. 31<br />
29<br />
ISSAI 3000 <strong>Performance</strong> <strong>Audit</strong> Standard, INTOSAI, 2019.<br />
30<br />
Standard 1311 – Internal Assessments, The International Professional Practices<br />
Framework, The IIA, 2016.<br />
31<br />
The International Professional Practices Framework, The IIA, 2016.<br />
19
Supervision<br />
66) The SAI shall ensure that the work of the audit staff at each level and audit phase<br />
is properly supervised during the audit process.<br />
67) <strong>Audit</strong> supervision involves providing sufficient guidance and direction <strong>to</strong> the audit<br />
team assigned <strong>to</strong> the audit. The audi<strong>to</strong>r who supervises the audit would be<br />
expected <strong>to</strong> have competence and knowledge in audit methodologies; planning<br />
and moni<strong>to</strong>ring work; project management; strategic thinking; foresight and<br />
problem solving. The level of supervision provided by the audi<strong>to</strong>r may vary<br />
depending upon the proficiency and experience of the audit team and the<br />
complexity of the subject matter of the audit. 32<br />
It should be noted that a team member designated <strong>to</strong> supervise an engagement should not<br />
have responsibilities for that engagement <strong>to</strong> avoid a conflict of interest. This presents<br />
practical difficulties in small audit teams.<br />
There are two aspects <strong>to</strong> supervision:<br />
<br />
<br />
Overseeing individuals.<br />
Overseeing their work.<br />
The supervisor assigns tasks, confirms expectations, moni<strong>to</strong>rs performance, provides<br />
feedback and encouragement, intervenes where necessary, directs, advises, and coaches,<br />
offers on-the-job training, and acknowledges and celebrates achievements. Supervisors also<br />
provide feedback <strong>to</strong> higher levels of authority, up <strong>to</strong> the head of internal audit or the SAI.<br />
The engagement plan provides a suitable framework within which the supervisor guides and<br />
supports audi<strong>to</strong>rs. The supervisory work may begin with assisting with the development of<br />
the plan which thereafter informs not only the performance of the audit but also the<br />
discharge of supervision. The engagement plan will typically identify the key tasks <strong>to</strong> be<br />
completed, including the following:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Guiding the survey phase <strong>to</strong> obtain knowledge <strong>to</strong> formulate objectives.<br />
Formulating clear audit objectives that set forth what the audit is expected <strong>to</strong><br />
accomplish.<br />
Coordinating with other audi<strong>to</strong>rs when appropriate, including work that is planned or<br />
already completed.<br />
Selecting a valid and sound scope and methodology for accomplishing the objectives<br />
and obtaining sufficient data without wasting resources in acquiring unneeded data.<br />
Establishing the type and amount of resources and staff skills and knowledge, and<br />
the use of any consultants and experts.<br />
Segmenting the work where necessary <strong>to</strong> clearly identify responsibility of assigned<br />
staff.<br />
Identifying audit criteria, when criteria is <strong>to</strong> be applied in the audit.<br />
Selecting a strategy and approach for communicating audit results <strong>to</strong> users timely<br />
and effectively.<br />
32<br />
ISSAI 3000 <strong>Performance</strong> <strong>Audit</strong> Standard, INTOSAI, 2019.<br />
20
Choosing quality assurance steps that will ensure adherence with applicable auditing<br />
standards, including those for evidence <strong>to</strong> support audit findings. 33<br />
The supervisor also has an important role in determining the staff resources needed for the<br />
engagement <strong>to</strong> ensure the right capacity and quality of skills and expertise are available.<br />
The number, frequency, and nature of review meetings held by the supervisor with the<br />
audi<strong>to</strong>r or audi<strong>to</strong>rs should be decided based on need. Fac<strong>to</strong>rs would include the level of<br />
experience of the audi<strong>to</strong>r, the length and complexity of the audit, and personal preferences<br />
of both parties. Meetings should be structured by focusing on the audit plan, have a clear<br />
purpose, and result in agreed actions that are recorded and shared.<br />
Other Aspects of Quality Control<br />
Quality is essential for the integrity of the audit provider. As referenced above, the role of<br />
supervision plays a key role in quality assurance and is described by the IPPF as part of a<br />
comprehensive quality assurance and improvement program (QAIP). <strong>Audit</strong> policies and<br />
procedures should be designed <strong>to</strong> promote quality, conformance with the Standards, and<br />
continuous improvement. Regular internal and external review of the QAIP is needed <strong>to</strong><br />
ensure it is working. The head of the internal audit function is required <strong>to</strong> keep the governing<br />
body advised on matters relating <strong>to</strong> QAIP and conformance.<br />
ISSAI 140 Quality Control for SAIs identifies six elements required for quality assurance and<br />
control, as summarized in the graphic below.<br />
Acceptance and<br />
continuance<br />
Human<br />
resources<br />
Ethical<br />
requirements<br />
<strong>Performance</strong><br />
Leadership<br />
responsibilities<br />
Framework<br />
of Quality<br />
Control<br />
Moni<strong>to</strong>ring<br />
These principles are defined as follows:<br />
Six Elements of SAI’s System of Quality Control 34<br />
<br />
Leadership responsibilities: An SAI should establish policies and procedures<br />
designed <strong>to</strong> promote an internal culture recognising that quality is essential in<br />
33<br />
Rauum and Morgan, <strong>Performance</strong> <strong>Audit</strong>ing: A Measurement Approach, the Internal <strong>Audit</strong><br />
Research Foundation, 2009.<br />
34<br />
As defined in ISSAI 140 Quality Control for SAIs, INTOSAI, 2019.<br />
21
performing all of its work. Such policies and procedures should be set by the Head of<br />
the SAI, who retains overall responsibility for the system of quality control.<br />
Ethical requirements: An SAI should establish policies and procedures designed <strong>to</strong><br />
provide it with reasonable assurance that the SAI, including all personnel and any<br />
parties contracted <strong>to</strong> carry out work for the SAI, comply with relevant ethical<br />
requirements.<br />
Acceptance and continuance: An SAI should establish policies and procedures<br />
designed <strong>to</strong> provide the SAI with reasonable assurance that it will only carry out<br />
audits and other work where the SAI:<br />
a) is competent <strong>to</strong> perform the work and has the capabilities, including time and<br />
resources, <strong>to</strong> do so;<br />
b) can comply with relevant ethical requirements; and<br />
c) has considered the integrity of the organisation being audited and has considered<br />
how <strong>to</strong> treat the risk <strong>to</strong> quality that arises. The policies and procedures should<br />
reflect the range of work carried out by each SAI. In many cases SAls have little<br />
discretion about the work they carry out. SAIs carry out work in three broad<br />
categories:<br />
o Work that is required of them by their mandate and statute and which they<br />
have no option but <strong>to</strong> carry out;<br />
o Work that is required by their mandate, but where they have discretion as <strong>to</strong><br />
the timing, scope and/or nature of work;<br />
o Work that they can choose <strong>to</strong> carry out.<br />
Human resources: The SAI shall establish policies and procedures designed <strong>to</strong><br />
provide it with reasonable assurance that it has sufficient personnel with the<br />
competence, capabilities and commitment <strong>to</strong> ethical principles necessary <strong>to</strong>:<br />
a) perform engagements in accordance with professional standards and applicable<br />
legal and regula<strong>to</strong>ry requirements; and<br />
b) enable the firm or engagement partners <strong>to</strong> issue reports that are appropriate in<br />
the circumstances.<br />
<strong>Performance</strong>: The SAI shall establish policies and procedures designed <strong>to</strong> provide it<br />
with reasonable assurance that engagements are performed in accordance with<br />
professional standards and applicable legal and regula<strong>to</strong>ry requirements, and that<br />
the firm or the engagement partner issue reports that are appropriate in the<br />
circumstances. Such policies and procedures shall include:<br />
a) matters relevant <strong>to</strong> promoting consistency in the quality of engagement<br />
performance;<br />
b) supervision responsibilities;<br />
c) and review responsibilities.<br />
Moni<strong>to</strong>ring: The SAI shall establish a moni<strong>to</strong>ring process designed <strong>to</strong> provide it with<br />
reasonable assurance that the policies and procedures relating <strong>to</strong> the system of<br />
quality control are relevant, adequate and operating effectively. This process shall:<br />
a) include an ongoing consideration and evaluation of the firm’s system of quality<br />
control including, on a cyclical basis, inspection of at least one completed<br />
engagement for each engagement partner;<br />
b) require responsibility for the moni<strong>to</strong>ring process <strong>to</strong> be assigned <strong>to</strong> a partner or<br />
partners or other persons with sufficient and appropriate experience and authority<br />
in the firm <strong>to</strong> assume that responsibility; and<br />
22
c) require that those performing the engagement or the engagement quality control<br />
review are not involved in inspecting the engagements. 35<br />
<strong>4A</strong>.3: Reflection<br />
What qualities does a good supervisor need <strong>to</strong> have?<br />
What training do your audi<strong>to</strong>rs receive <strong>to</strong> help them become effective supervisors?<br />
How should supervisors determine the number of individuals and the expertise needed for<br />
a performance audit?<br />
What is the best way <strong>to</strong> manage progress meetings as a supervisor?<br />
What is the best way <strong>to</strong> prepare for a progress meeting with your supervisor as an audi<strong>to</strong>r<br />
on an engagement?<br />
35<br />
ISSAI 140 Quality Control for SAIs, INTOSAI, 2019.<br />
23