Chapter 2

What are the key principles of quality performance audits?

This chapter will discuss the eight principles that are necessary for conducting a quality
performance audit. According to ISSAI 100/36-43, these principles are :

• quality control;
• independence and ethics;
• professional judgement and scepticism;
• audit team competence;
• materiality;
• audit documentation and audit supervision;
• audit risk and assurance; and
• communication with audited entities, external stakeholders, media and the public.

Given the focus and nature of performance auditing, these principles are critically important
to SAIs and you as an auditor. Without these principles, SAIs and auditors will not be well-
positioned to effectively execute performance audits and thus achieve improvements in
economy, efficiency and effectiveness (the 3Es). It is important that your SAI has policies and
procedures in place that explain the requirements related to each of these principles. It is
your responsibility to follow them. This chapter touches briefly on SAI-level policies that need
to be in place to implement these concepts’ principles. Still, it is mostly focused on how you,
the auditor, can ensure you are taking the appropriate steps to follow them.

The chapter also has a section on IDI’s considerations to mainstream inclusiveness and
maximise the impact of performance audits.

29
What is quality control?

The Standard
SAIs should establish and maintain appropriate procedures for ethics and quality control.

Source: ISSAI 100/35

An SAI’s quality control policies and procedures should comply with professional standards,
the aim being to ensure that audits are conducted at a consistently high level. Auditors should
perform the audit following professional standards on quality control. (ISSAI 100 and ISSAI
140)

SAIs should be consistently focused on delivering high-quality audits and other work. The
quality of work performed by SAls affect their reputation and credibility, and ultimately their
ability to fulfil their mandate (ISSAI 140).

Quality control is a system of policies and procedures put in place by an SAI to ensure that
the audit reports are appropriate, balanced, fair, add value, and are following ISSAIs. Quality
control should be present in all phases of the audit process: planning, execution, reporting,
and follow-up. Such policies and procedures should be set by the head of the SAI, who retains
overall responsibility for the system of quality control (ISSAI 140).

Quality assurance refers to establishing a monitoring process designed to provide the SAI
with reasonable assurance that the policies and procedures relating to the system of quality
control are relevant, adequate, and operating effectively in practice (ISSAI 140/6). The
purpose of quality assurance is to conduct the review to ascertain if the audit was conducted
following ISSAIs.

Reviews, procedures and checks taking place before the report is issued are part of the SAIs
quality control system, to ensure that the reports are of high quality. These reviews can be
done by managers or external reviewers. Quality assurance, on the other hand, involves
checking if the appropriate quality control systems have been put in place and if they are
appropriately implemented. It is not done by line managers and includes reviewing already
published reports. (AFROSAI-E PA Handbook, 2016)

The six key elements of quality control are shown in Figure 4. Additionally, Appendix 1
provides an example of an SAI quality assurance framework.

30
Figure 1: Key elements of quality control for performance auditing

Tone at the top of the Supreme Audit

Institution (SAI) and its policies should
Leadership promote a culture that focuses on quality.

Audit work and reports

are assessed against a Ethical
system of quality control. Monitoring All auditors working for an
requirements
This can be considered SAI should follow certain
quality assurance. standards for ethical
behaviour.

Audit work should adhere to

SAIs should only carry out
all requirements that apply; Acceptance
Engagement audits where it is
legal, regulatory, and
policies. performance and competent to perform the
continuance work, has the capabilities,
can comply with relevant
Human
ethical requirements and
resources has considered how to
The SAI should have the resources treat risks to quality that
available to carry out its work in a way might arise.
that meets all standards.

Source: ISSAI 140

For a system of quality control to be effective, it needs to be part of an SAI’s strategy, culture,
policies and procedures. In this way, quality is built into the performance of the SAI’s work
and the production of the SAI’s reports, rather than being an additional process once a report
is produced (ISSA1 140). Quality control procedures should cover matters such as the
direction, review and supervision of the audit process and the need for consultation to reach
decisions on difficult or contentious matters. (ISSAI 100/38)

It is not enough that an SAI puts policies and procedures in place; the functioning of the
quality control system needs to be monitored through a regular assessment of audit work and
reports. This is important to determine whether the system is suitably designed and operating
effectively and if policies and procedures are being followed. This monitoring can be
conducted through both internal and external reviews. Monitoring, such as periodic peer
reviews or other types of review activities, helps SAIs assure that the work performed and the
resulting reports meet standards and are of high quality.
Your SAI needs policies and procedures that codify the actions and behaviours expected of
you according to each element of a quality control framework. The SAI should ensure these
are clearly communicated to all auditors.

31
 What are independence and ethics?

Adhering to independence and ethical requirements is a prerequisite to conducting

performance audits and is emphasised in the INTOSAI Framework of Professional
Pronouncements (IFPP). The following sections present important concepts regarding
independence and ethics.

Independence

Independence means being free from circumstances or influences that

INTOSAI’s ISSAI 130: compromise, or maybe seen as compromising, professional
Code of Ethics provides a judgement, and acting in an impartial and unbiased manner.
detailed discussion of
independence and ethics. The
code provides SAIs and the It is important that your SAI and you, the auditor, understand what
staff working for them with a potential threats exist that could affect independence and undermine
set of values and principles on
which to base behaviour. the effectiveness of an audit. There are six major threats to
Furthermore, the code, independence during a performance audit, as shown in Figure 5.
recognising the specific
environment of public-sector
auditing (often different from
that of private sector auditing),
gives additional guidance on
how to embed those values in
an SAI’s processes and audit
work.

Source: IDI/PAS Development Team

32
Figure 2: Six major threats to independence during a performance audit

Self-interest The threat that a financial or other personal interest will inappropriately influence
an auditor’s judgement or behaviour.

Bias or The threat that an auditor will, as a result of political, ideological, social or other
advocacy convictions, take a position that is not objective.

Familiarity The threat that personal relationships with family, friends, etc. in the audited
agency will cause the auditor to take a position that is not objective.

Intimidation The threat that external influences or pressures will impact an auditor’s ability to
or undue make independent and objective judgements.
influence

Self-review The threat that an auditor or audit organisation that has provided services to the
audited agency will use that experience to affect its conclusions.

Management The threat that results from an auditor crossing the line from being an external
participation auditor to being a part of the internal management structure of the audited
agency.

Source: GUID 3910/14

SAIs and audit teams should apply control mechanisms that eliminate or reduce a threat to
independence to an acceptable level, such as those listed in the box below.

SAIs should also ensure their personnel do not develop too close of a relationship with the
entities they audit, so they can remain objective. SAIs, while adhering to the laws enacted by
the legislature that apply to them, should also be free from direction or interference from
their legislature or government in the:
• selection of audit topics, if applicable, as some SAIs must perform audits of certain topics
based on their mandate. Regardless, it is important that the SAI and auditor maintain
independence in conducting audits;
• planning, programming, conducting, reporting and following-up of their audit;
• organisation and management of their office; and
• enforcement of their decisions where the application of sanctions is part of their mandate.

33
As an auditor, it is important to remain independent so that your report Auditors can maintain
will be impartial and be seen as such by the intended users. Your ability independence by:
to maintain independence is important in the context of a performance • avoiding participating in audits
audit, as many decisions must be made based on your professional in which the auditor has a
judgement and audit evidence. financial or personal interest;

• not accepting gifts, bribes or

Common decisions made by the auditor (which are discussed in later other payments that would
chapters) in which a lack of independence could negatively affect a create the appearance of bias or
advocacy;
performance audit include:
• recusing themselves of audits in
• identifying and deciding on an audit topic; which family or friends have
• establishing the audit objective(s) and questions; invested interests in the outcome
of the audit;
• identifying the applicable criteria;
• avoiding involvement in
• determining the methodological approach to the audit; external activities that could be
• assessing audit evidence and forming conclusions; seen as having an undue
influence on an audit’s
• deciding on audit criteria and findings, after independently assessing outcomes; and
them and discussing them with the entity or entities that are the
• avoiding becoming too close to
focus of the audit; the audited entity and its
• assessing the positions of various stakeholders; and management, resulting in bias or
advocacy.
• writing a fair and balanced report.
Source: IDI/PAS Development Team

What are some control mechanisms that can safeguard against threats
to independence?
✓ Involve another person to review the work ✓ Ensure that all individuals working on an audit
done or advise as necessary without confirm their independence before
compromising the auditor’s independence. commencing work on the audit and consider
their independence throughout the audit.
✓ Consult a third party, such as a committee of
independent directors, a professional ✓ Remove a person from the audit team when
regulatory body, or a professional colleague. that person’s financial interests, relationships, or
activities threaten independence.
✓ Rotate personnel to performance audits of
different entities after a few years to counter
the familiarity threat.

Source: GUID 3910/19

34
Ethics

Ethics are the moral principles of an individual that include integrity,

It is important that an
professional competence and due care, professional behaviour and auditor remains free of
confidentiality, as defined below: conflicts of interests, both real
and perceived, and maintains
• Integrity: To act honestly, reliably, in good faith and the public independence of mind and
independence in appearance.
interest.
• Professional competence: To acquire and maintain knowledge and Accordingly, an auditor must
avoid both conflicts and the
skills appropriate for the role and act in accordance with applicable appearance of a conflict or any
standards and with due care. other situation where an
objective, knowledgeable third
• Professional behaviour: To comply with applicable laws, regulations party might have reason to
and conventions, and avoid any conduct that may discredit your SAI. question whether the auditor can
make objective and impartial
• Confidentiality and transparency: To appropriately protect judgements.
information, balancing this with the need for transparency and
accountability. Source: IDI/PAS Development Team

Each of these principles is discussed in more detail below. INTOSAI’s ISSAI 130: Code of Ethics
provides in-depth guidance for both the SAI and the auditor regarding each of these
principles.

SAIs should have policies and procedures that address ethical requirements and emphasise
the need for compliance by each auditor. Ethical requirements of the SAI has to include
requirements set down in legal and regulatory frameworks that govern the SAI. SAIs need to
consider: written declarations from personnel to confirm compliance with the SAI’s ethical
requirements; and to put procedures in place for personnel to report breaches of ethical
requirements.

Integrity

SAIs should have policies and procedures in place that:

• emphasise, demonstrate, support and promote integrity;
• ensure the internal environment is conducive for staff to raise ethical breaches; and
• ensure responses to integrity breaches are taken in a timely and adequate manner.

You, the auditor, need to act honestly. You also need to be alert to circumstances that might
expose you to integrity vulnerabilities and avoid disclosing them as appropriate. These
circumstances may involve:
• personal, financial or other interests or relationships that conflict with the SAI’s interests;
• the offer of gifts or gratuities from the audited entities;
• the opportunity to abuse power for personal gains;
• involvement in political activities, or participation in pressure groups, lobbying, etc.;

35
• access to sensitive and confidential information; and
• the use of SAI resources for personal or other purposes.

Professional competence

SAIs need to adopt policies and procedures to ensure performance Auditors exhibiting
professional competence
audits and related tasks are conducted by staff with the appropriate and behaviour are
knowledge, skills and abilities to successfully conduct their work. Such important to the execution of
performance audits. For example,
policies and procedures can include: auditors have to:
• putting in place competence-based recruitment and human
• be objective, neutral, non-
resources practices; partisan, and fact-based;
• assigning work teams that collectively possess the expertise required
• use methodologically sound
for each assignment; approaches to address audit
• providing staff with appropriate training, support and supervision; objectives; and

• providing tools to enhance knowledge and information sharing, and • be able to effectively apply SAI
policies and procedures
encourage staff to use these tools; and regarding professional behaviour
• addressing challenges arising from changes in the public sector and norms.
environment. Auditors cannot:

In assessing and maintaining professional competence requirements, • select sites to visit as part of the
you, as an auditor, can: audit based on personal reasons;
• understand your role and tasks to be performed; • post personal opinions on social
• know the applicable technical, professional and ethical standards to media about issues relevant to an
ongoing performance audit;
be followed;
• work competently in a variety of contexts and situations, depending • misuse their position to obtain
information for personal use; and
on the requirements of the job or task; and
• acquire new knowledge, skills and abilities, updating and improving • engage in outside activities that
would create a conflict of interest
them as needed. on the part of the auditor or SAI.

Source: IDI/PAS Development Team

36
 Professional behaviour

Your SAI should be aware of the standards of professional behaviour expected by its internal
and external stakeholders, as defined by the laws, regulations and conventions of the society
in which they operate, and conduct business accordingly and in line with its mandate. To
promote the highest standards of professional behaviour and to identify activities that are
inconsistent with that standard, SAIs have to provide direction on
SAIs can take the expected behaviour and implement controls to monitor, identify and
following steps to help resolve deviations from it.
ensure transparency:

• Adopt audit standards, It is important that you, the auditor, take steps to ensure your
processes, and methods that
are objective and transparent behaviour, both within and outside the working environment, abides
to the audited entities. by professional norms, such as:
• Make public the results of • knowing SAI policies and procedures relating to professional
their work, including their
methodology(ies) for
behaviour, such as applicable professional standards, laws, regulations
conducting the work. and conventions of the society in which the SAI resides;
• Communicate timely and • understanding the impact of your actions on the SAI’s credibility,
widely on their activities and and considering how your behaviour, both within and outside the
audit results through the media,
websites and other means. working environment, might be perceived by colleagues, family and
friends, auditees, the media and others. For example, work or
Source: IDI/PAS Development Team
volunteering you do outside your SAI activities could be seen as a
conflict of interest or impact your impartiality. Some SAIs have a reporting mechanism for
reporting outside activities. See Appendix 2 for an example of an SAI form for documenting
participation in outside activities;
• being aware that common expectations include acting according to ethical values,
adhering to the legal and regulatory frameworks in place, not misusing your position,
applying diligence and care in performing your work, and acting appropriately when
dealing with others; and
• applying appropriate prudence and care to help ensure your actions or opinions do not
compromise or discredit the SAI and its work, for example, when using social media.

Confidentiality and transparency

SAIs should have policies and procedures to ensure that it balances the confidentiality of
audit-related and other information obtained during a performance audit with the need for
transparency and accountability. The SAI should also have an adequate system in place for
maintaining confidentiality as needed, especially about sensitive data. Further, SAIs should
ensure that any parties contracted to carry out work for the SAI are subject to appropriate
confidentiality agreements.
As an auditor, it is important to be aware of any related legal obligations and your SAI’s
policies and procedures concerning confidentiality and transparency. You are also responsible

37
for protecting the information you collect during the audit and not disclose it to third parties
unless they have proper and specific authority or there is a legal or professional right or duty
to do so. Examples of controls and safeguards you can apply to help ensure confidentiality
and transparency include:

• Use professional judgement to respect the confidentiality of information collected as part

of an audit. In particular, keep the confidentiality of information in mind when discussing
work-related issues with other SAI employees.

• If you are in doubt about whether suspected breaches of laws or regulations have to be
disclosed to appropriate authorities or parties, consider obtaining legal advice from within
your SAI to determine the appropriate course of action.

• Do not discuss information related to your audit outside the work environment, including
on social media.

• Secure electronic data devices, such as laptops and portable data storage devices, and
ensure all audit information, such as audit-related documents and papers, are secured
appropriately. You could do this by ensuring that information is stored in locked areas,
such as cabinets or offices, and also by controlling access to the office space to ensure the
protection of all audit-related information, both electronic and hard-copy documents and
papers. For electronic information, steps need to be taken to prevent loss through backing
up data and servers, as appropriate.

Mitigating or resolving independence and ethical concerns

SAIs and auditors have responsibilities to mitigate and resolve independence and ethical
concerns. SAIs should have an ethics control system to identify, analyse and mitigate ethical
risks, support ethical behaviour and address any breach of ethical values, including protecting
those who report suspected wrongdoing. An ethics control system’s main components could
be a code of ethics, leadership and ‘tone at the top’, ethics guidance, and ethics management
and monitoring (for more information on SAI responsibilities, see ISSAI 130).

As an auditor, you need to take concrete action to mitigate or resolve independence and
ethical issues, such as by:
• identifying situations where your independence and ethical requirements can be impaired,
and understanding the potential impacts of such situations;
• signing declarations of interests and conflict to help identify and mitigate threats to
independence and ensure both your own integrity and that of the SAI. See Appendix 3 for
an example of an independence statement;
• informing your management about relationships and situations that may present a threat;

38
• maintaining and developing your knowledge and skills to ensure a full understanding of
behavioural norms and expectations, professional competence, and the protection and
confidentiality of information related to the audit; and
• informing your supervisor if your expertise is not sufficient to perform a specific task to
ensure professional competence and integrity.

You should be aware of your own biases and opinions regarding topics and organisations.
Police your behaviour to ensure you are upholding the independence and ethical
requirements. Consider any independence and ethical threats at many points throughout the
planning and execution of the audit. If you have questions about what might be a threat to
ethics and independence, trust your instincts that there may be an issue and review your SAI’s
policy and raise the issue to your superiors when appropriate. Additionally, be aware of the
behaviour of other auditors and colleagues because the reputation of your SAI rests on all of
its auditors upholding independence and ethical requirements. Many SAIs have procedures
for reporting observed misconduct. If in doubt, check with your supervisor.

What are professional judgement and scepticism?

The Standard
The auditor shall exercise professional judgement and skepticism and consider issues from different
perspectives, maintaining an open and objective attitude to various views and arguments.

Source: ISSAI 3000/68

Exercising professional judgement and scepticism are critical to ensuring an effective

performance audit.

Professional judgement is the act of applying knowledge, skills, and experience – in a way that
is informed by standards, laws and ethical principles – to develop an opinion or decision on
an issue. Professional scepticism means maintaining a professional distance from the entity
or entities being audited and an alert and questioning attitude when assessing the sufficiency
and appropriateness of audit evidence obtained throughout the audit.

SAIs need to have policies and procedures to guide auditors to consistently apply professional
judgement and professional scepticism. For example, using professional judgement is
important to auditors in applying the conceptual framework to determine independence in a
given situation. As such, SAI policies and procedures need to include guidance for identifying
and evaluating any threats to independence, including threats to the appearance of
independence and related safeguards that may mitigate the identified threats.

39
SAIs should also ensure that auditors understand the importance of professional judgement
and scepticism and can apply it appropriately within a performance audit. To achieve this end,
SAIs could require auditors to participate in periodic training that focuses on, for example:

• the types of evidence – documentary, testimonial, physical and analytical – and their
strengths and weaknesses;

• the standards – appropriateness and sufficiency – used in assessing evidence; and

• the importance of corroborating evidence to ensure the conclusions reached by auditors

are reasonable and logical.

You, as an auditor, should exercise professional judgement and scepticism, consider issues
from different perspectives, and maintain an open and objective attitude toward various
views and arguments. This open-mindedness is essential if you are
presented with contradictory information that needs to be assessed Auditors need to use their
and considered in conjunction with other evidence collected during professional judgement
and scepticism throughout a
an audit. Exercising professional judgement and scepticism allows you performance audit, including in:
to be receptive to a variety of views and arguments and be better
• developing audit questions that
positioned to consider different perspectives. are objective and neutral;
• selecting appropriate scope
and methodologies;
Performance audits require significant judgement, interpretation and • conducting interviews with
scepticism because evidence associated with performance audits is officials;
• assessing the evidence
typically persuasive rather than conclusive, requiring constant collected during the audit; and
reassessment. Professional judgement and scepticism are key for you • developing a message for the
written report that is balanced.
to effectively and critically assess the audit evidence obtained during
an audit. Rather than approaching audit work in a ‘tick the box’ Source: IDI/PAS Development Team
mentality, you must challenge the information and evidence obtained. You need to step back,
look at the wider context and ask, “does that make sense?”.

Some examples of how you can apply professional judgement during performance audits
include:

• determining the required level of understanding of the subject matter;

• determining the nature, timing and extent of audit procedures and methodology;
• determining which findings are significant enough to report;
• evaluating whether sufficient and appropriate audit evidence has been obtained; and
• determining the recommendations to be made, as appropriate, to address root causes of
the problems identified.

How might professional scepticism be applied?

40
 ✓ Question responses to inquiries and other ✓ Evaluate the reliability of data to be used
information obtained from the audited during the audit.
entity. ✓ Assess the reliability of the source of the
✓ Corroborate testimonial or evidence from a documents obtained.
single source with secondary sources of ✓ Be alert to audit evidence that contradicts
evidence. other audit evidence obtained.
✓ Revise your risk assessment as a result of
identified material or significant inconsistent
information (discussed later).
Source: GUID 3910/88-89

As an auditor, you can help to improve the strength of the evidence obtained by exercising
professional scepticism (by asking questions to test the accuracy of evidence), following up
when things do not make sense, and not accepting what the audited entities’ management
tells you without corroboration. Professional scepticism is critical to ensuring you can answer
the audit questions and make conclusions with a high level of assurance.

What is audit team competence?

The Standard
The SAI shall ensure that the audit team collectively has the necessary professional competence to
perform the audit.

The auditor shall maintain a high standard of professional behaviour.

Source: ISSAI 3000/63 and ISSAI 3000/75

41
 Conducting an effective performance audit requires putting in
Effective audit teams
include team members
place a team that has all the skills needed for carrying out the
that collectively have: necessary tasks required during an audit.
• teamwork and collaboration
skills; The quality of an audit is dependent on the skills, abilities and
• critical thinking skills; knowledge of the audit team. Performance auditing is a team
• quantitative and qualitative
analytical skills; effort. Performance audit issues are often complex, and not all
• interviewing skills; and team members need to possess every Ways for auditors to
• oral and written needed skill. Rather, the audit team has exhibit professional
communication skills. behaviour during a
ideally be comprised of team members performance audit:
Source: IDI/PAS Development Team
with a variety of skills, abilities and
• Treat audited entity officials as
knowledge to ensure it is positioned to professionals and with respect.
carry out the audit work.
• Respond promptly to inquiries
from representatives from the
SAIs should ensure their audit teams collectively have the necessary audited entity.

professional knowledge, skills and abilities before performing the • Be on time for meetings with
audit. For example, SAIs could recruit staff with the appropriate officials from the audited entity
and other stakeholders;.
qualifications to include areas of study and knowledge of needed
disciplines. Once hired, SAIs can also require or suggest a specific • Dress professionally and in
accordance with SAI policies.
curriculum of training to ensure their auditors have the necessary skills
• Abide by SAI policies and
and abilities. Training can include classroom instruction, individual procedures in conducting the
study and on-the-job training based on individual needs and the SAI’s audit.
curriculum, among other initiatives. Further, a prescribed amount of Auditors can maintain knowledge
continuous learning can be required by an SAI. of professional behaviour norms
and expectations by:

It is also important for SAIs to ensure that the experience levels of the • completing periodic training on
audit processes, procedures, and
auditors, supervisors and managers are appropriate for the audit. For requirements; and
example, if there are some inexperienced auditors on the audit team,
• participating in conferences
it is important to balance them with experienced supervisors and and seminars to (1) stay abreast
managers. A team lacking the necessary skills, abilities, knowledge and of technical and professional
standards and (2) expand
experience may carry out an audit in a less than efficient and effective knowledge in the public policy
manner and produce a report that does not appropriately address the issue area that the auditor works
in.
audit topics.

Subject matter experts, who are stakeholders either internal to the SAI Source: IDI/PAS Development Team
or contracted by the SAI to assist the audit team, are often used in performance auditing to
complement the skill set of the audit team and to improve the quality of the audit. For
example, stakeholders internal to an SAI could be legal, methodological or technical experts
that are not full-time members of a specific audit team but provide their input and expertise
as needed throughout an audit in order to improve the quality of the work. Before consulting
with these stakeholders, the SAI and you, the auditor, should ensure the expert has the

42
necessary competence required for the audit and that they are informed about the conditions
and ethics surrounding the audit process. This also applies to experts that are not part of the
SAI. See below for examples of areas where different types of expertise can be useful for a
performance auditing team.

Once the audit team has been assembled, and initial stakeholders When an audit is initiated
and the audit team is
identified, it is important that all involved maintain a high standard of
being assembled, SAIs can:
professional behaviour. You should comply with all legal, regulatory
• identify the appropriate areas
and professional requirements, and avoid all conduct that might of expertise within the SAI that are
discredit your work. Maintain individual professional skills and necessary to carry out the audit
as well as the roles and
competence by keeping abreast of, and complying with, developments responsibilities for the individuals
in professional standards and pertinent legislation. It is important that representing these areas of
expertise for the audit; and
all these professional behaviours are maintained throughout the audit
process, from topic selection and audit planning through data • assign staff to the audit team
that ensures the necessary skills,
collection, analysis, reporting and follow-up. These commitments help abilities and knowledge across
ensure that a quality audit is conducted. the members of the audit team to
effectively conduct the audit.

In addition to maintaining a high standard of professional behaviour, Source: IDI/PAS Development Team
ISSAI standards state that auditors have to also be willing to innovate throughout the audit
process, such as by being willing to suggest or try new methods or ideas. By being creative,
flexible and resourceful, you will be in a better position to identify opportunities to develop
innovative audit approaches for collecting, interpreting and analysing information.

What types of expertise can be useful for performance auditing team

members, project managers or outside experts?
✓ Research design. ✓ Organisational management.

✓ Scientific evaluation methods. ✓ Specialised expertise depending on the topic of

the audit, such as information technology,
✓ Legal.
cyberspace or engineering.
✓ Social sciences.
Source: IDI/PAS Development Team

What is materiality?

The Standard
The auditor shall consider materiality at all stages of the audit process, including the financial, social and
political aspects of the subject matter with the goal of delivering as much added value as possible.

Source: ISSAI 3000/83

43
Materiality can be defined as the relative importance (or significance) of a matter within the
context in which it is considered (ISSAI 3000/84). It can influence the decisions of users of the
report, such as legislatures or executives, to deliver as much added value as possible. In
addition to monetary value, materiality includes social and political significance, compliance,
transparency, governance and accountability. It is important for the auditor to keep in mind
that materiality can vary and can depend on the perspective of the intended users and
responsible parties.

The inherent characteristics of an item or group of items may render a matter material by its
very nature. A matter may also be material because of the context in which it occurs.
Materiality considerations affect decisions concerning the nature, timing and extent of audit
procedures and the evaluation of audit results. Considerations may include stakeholder
concerns, public interest, regulatory requirements and consequences for society. The
selection of audit topics and the audit itself needs to consider the concept of materiality.

Another consideration in determining materiality is inclusiveness. Inclusiveness is the practice

or policy of including people who may otherwise be excluded or marginalised, such as those
with physical or mental disabilities and members of minority groups. It is essential for
governments to ensure social inclusiveness, equal opportunity and equity. Given this, public
auditors need to consider inclusiveness as a dimension in the audit. See the end of this
chapter for more information on inclusiveness.

The principle of materiality has to be included in SAI policies and procedures guiding all
aspects of performance audits. Specifically, materiality needs to be considered in selecting
audit topics, identifying and defining criteria for the audit, evaluating audit evidence and
documentation, and managing the risks of producing inappropriate or low-impact audit
findings or reports.

Ultimately, the auditor’s consideration of materiality requires the application of professional

judgement. Specifically, it is up to you and your audit team to distinguish the material and
immaterial. ISSAI 3000 identifies concepts to be considered in making decisions related to
materiality when selecting audit topics, such as:

• indications or risks to economy, efficiency and effectiveness;

• financial significance, socially and politically;
• maximising the expected impact;
• auditability; and
• falling within the SAIs mandate.

As an auditor, keep materiality in mind throughout the audit, such as when designing audit
questions and criteria, when collecting and assessing evidence associated with the audit, and
formulating audit findings and recommendations that significantly contribute to improved

44
performance. For example, the entirety of audited entities’ operations is more than likely not
material to your audit, so you should concentrate your effort on the topic that is material and
the focus of the audit. You could spend immeasurable time collecting documents about a
topic, but to make the best use of available resources, always consider the materiality of a
document or discussion when conducting the work. The next chapters provide more detail
about the principle of materiality as it pertains to all phases of the audit process.

What are audit documentation and audit supervision?

This section describes the importance of audit documentation and audit supervision. While
these topics are introduced below, they are discussed in detail throughout this handbook as
we discuss the various phases of a performance audit.

Audit documentation

The Standard
The auditor shall document the audit in a sufficiently complete and detailed manner.

Source: ISSAI 3000/86

Audit documentation records audit procedures performed, relevant audit evidence obtained,
and conclusions the auditor reached (terms such as ‘working papers’ or ‘audit trail’ are also
sometimes used).

What should an experienced auditor be able to understand from audit documentation?

✓ The nature, time and extent of the work ✓ The conclusions reached as a result of the
conducted. aforementioned significant matters.
✓ The findings of the audit work and the ✓ Significant or key decisions made in reaching
evidence obtained. those conclusions.
✓ Significant matters that arose during the audit
(for example, changes in the scope or
approach of the audit, decisions regarding a
new risk factor identified during the audit,
actions taken as a result of disagreement
between the audited entity and the team,
etc.).

Source: IDI/PAS Development Team

It is important that SAIs have policies and procedures that define the basic standards of audit
documentation required for audits performed by the SAI. These policies and procedures
define the standards for the types of files that must be maintained and for how long once the
audit is completed. SAIs should provide training to auditors regarding how documentation for

45
audits will be compiled and maintained. The policies, procedures and There are many
training help ensure that audit documentation collected for each audit types of documents that
auditors need to maintain as part
provides evidence of the auditor’s basis for a conclusion about achieving of the audit documentation.
These documents include, but
the overall objective(s) of the audit. The policies, procedures and training are not limited to:
also aim to help prove evidence that the audit was planned and
• an index for the information
performed in accordance with SAI’s requirements and applicable legal and included in the file;
• a memo of all key decisions
regulatory requirements. and communications that
documents the decisions,
performed activities, and internal
As an auditor, you should take steps throughout the audit to ensure that and external communication
proper audit documentation is being collected and maintained according during the audit;
• statements of independence
to SAI policy. You also need to ensure that the documentation collected is for the auditors;
• the audit plan that identifies
sufficient to enable an experienced auditor, having no previous the scope, methodology and
connection with the audit, to understand decisions made and how the plans to collect the evidence for
the audit;
audit results were obtained. Documentation starts at the very beginning • documentation of meetings
with the audited entity, such as
of a performance audit when the audit team is first assembled. You will the initial meeting to discuss the
need to consider documenting the following as you begin your audit: audit and meetings near the end
of the audit during which findings
are discussed;
• How the audit topic was selected. • interview records to document
• Any pre-planning that was conducted. testimonial evidence from
officials;
• How stakeholders were identified. • evidentiary documentation,
such as the audited entity’s
• Any communication with the audit entities. policies and procedures, memos,
• Any initial decisions by the team and management. briefings on the programme, and
data;
• Any risks that were identified. • records of file reviews,
observations or inspections;
Documentation will continue to be very important as you move to • answers to questionnaires;
• records of discussions during
conduct and report on the audit, and documentation should be focus groups and reference
groups;
completed promptly. You should document: • records of analyses;
• the evidence and your team’s analysis of that evidence; • documentation of key
stakeholder and management
• how you arrived at the findings; and reviews of drafts reports; and
• the final report cross-
• internal reviews, communication with the audited entities and the referenced to the evidence in
considerations for making (or not) changes based on comments the file, either by notes written in
a copy of the final report or in a
received and other key decisions made as you develop a message and separate document explaining
draft report. the evidence that was used for
the main findings and where this
evidence is available in the file.
It is important your audit team begins its audit documentation set at the
very beginning of the audit in order that all information collected and
decisions made are properly documented. The audit team needs to reach Source: IDI/PAS Development Team
an agreement about the organisation of the audit documentation as well as any processes
and approaches that will be used by the audit team to document the audit. For example,
many types of documents in an audit are easier to organise and manage when filed
electronically in a clear folder structure for the project. To the extent allowed by your SAI
policy and procedures, electronic documentation can replace physical copies of documents

46
provided the electronic documentation is sufficiently backed up. Some evidence collected as
part of the audit may not be able to be stored electronically but still needs to be saved and
stored to ensure the proper documentation of the audit. For example, you may collect
physical objects as part of the audit that cannot be stored electronically in a computer-based
storage system. These physical objects have to be maintained as part of the audit
documentation set. Lastly, follow your SAI´s guidance for keeping audit documentation for an
adequate period of time.

Your audit team could consider establishing an approach to cross-reference the evidence
collected throughout the audit with the team’s analysis. Alongside collecting and cross-
referencing documentation, you can ensure that proper procedures are used to maintain the
confidentiality and safe custody of documentation and working papers.
Below is a sample of a basic electronic file structure for a performance audit. The structure
can be adapted based on the needs of the team and SAI policy.

Audit documentation folders

• Administrative documents.
• Background materials.
• Planning materials.
• Evidentiary materials (for example, interview records, documents obtained).
• Analyses of evidence.
• Draft reports.
• Follow-up.

Audit supervision

The Standard
The SAI shall ensure that the work of the audit staff at each level and audit phase is properly supervised
during the audit process.

Source: ISSAI 3000/66

Generally, the audit supervisor is responsible for ensuring that all audit policies and
procedures are followed throughout the audit process.

Audit supervision involves providing sufficient support, guidance and direction to staff
assigned to the audit to ensure the audit objective(s) are addressed, methodologies are
applied appropriately, evidence and analysis are sufficiently documented, and the report is of
high quality. Supervisors must stay informed about significant problems encountered during
the audit and continually review the work performed to ensure a quality audit. An important

47
part of audit supervision is providing effective on-the-job training to members of the audit
team so that all auditors are developing their capacity to carry out audits effectively.

What does audit supervision consist of?

✓ Ensuring that all team members fully ✓ Considering the competence and capabilities
understand audit objective(s) and audit of individual members of the engagement
questions. team.
✓ Ensuring that audit procedures are ✓ Addressing and handling significant matters
adequate and properly carried out. that arise during the engagement.
✓ Ensuring that audit evidence is relevant, ✓ Supporting the auditor when needed to
reliable, sufficient and documented. overcome challenges.
✓ Ensuring international and national auditing ✓ Providing hands-on support in solving issues
standards are followed. that arise.
✓ Tracking progress of the engagement to ✓ Identifying matters that require more
ensure that budgets, timetables and experience to review.
schedules are met. ✓ Reviewing and approving the audit work.
Source: GUID 3910/82

It is important that SAIs provide guidance, and supervisors have to provide coaching and
review during all phases of an audit to ensure that the audit:

• complies with professional standards;

• achieves the intent of the audit’s objectives;
• documentation is complete and supports the audit’s findings and recommendations; and
• staff members develop their professional competence.

Some SAIs have a central office that reviews the outputs of all audits for compliance with
audit standards after supervisory review. The central office review ensures, for example, that
the findings, conclusions and recommendations are sufficiently and appropriately supported
by evidence and are clearly presented.

The degree to which supervision is needed depends on multiple factors, such as the size of
the audit organisation, the experience of the auditors and the significance of the work. For
example, an audit involving issues with a high degree of materiality, such as audit topics that
require large amounts of governmental funds for operation or issues that are extremely
sensitive from a political or societal perspective, is likely to necessitate a greater degree of
supervision and oversight within the audit team and the SAI. Regardless of these factors, audit
work needs to be reviewed by a senior member(s) of the audit team and SAI management
throughout the audit process, especially before the audit report is finalised.

As an auditor, ensure that you adhere to your SAI’s requirements regarding supervision. For
example, provide audit documentation to your supervisor for their review and input. You also
have to be receptive and respond appropriately to any direction, coaching, monitoring and
feedback provided by your supervisor, and seek to continuously improve your professional
competence and performance.

48
What are audit risk and assurance?

The Standard
The auditor shall actively manage audit risk to avoid the development of incorrect or incomplete audit
findings, conclusions, and recommendations, providing unbalanced information or failing to add value.

The auditor shall communicate assurance about the outcome of the audit of the subject matter against
criteria in a transparent way.

Source: ISSAI 3000/52 and ISSAI 3000/32

SAIs and auditors should actively manage audit risk. The management of risk should allow an
SAI and audit team to provide assurance that the intended users can be confident about the
reliability and relevance of the information provided by the audit, and that the results can be
used as the basis for making decisions.

There are numerous risks associated with performance auditing, as shown in Figure 6. The
SAI and its auditors must provide assurance to its users that these risks are appropriately
minimised and managed.

49
Figure 3: Common risks in performance auditing

Incorrect or Auditors reach incorrect or incomplete audit conclusions and make

incomplete recommendations that are not focused on the necessary or appropriate issues.
This can occur as a result of numerous factors, such as an inadequate assessment
conclusions of the evidence and not following appropriate and necessary audit procedures.

Unbalanced Auditors fail to include and evaluate contrary evidence, clearly identify which audit
information criteria are met, or report on good practices. Achievements of the audited entity
are not discussed, and contributing factors to the deficiencies identified are not
disclosed. For example, shortfalls are highlighted without explaining the challenges
or constraints under which the entity operates, or the audited entity’s performance
is assessed without reference to acceptable standards.

No or limited Auditors fail to provide new information or knowledge from the audit.
added value Specifically, the auditors do not add new analytical insights (broader or deeper
to the users as analysis or new perspectives) or make information accessible to various
stakeholders.
a result of the
audit

Difficulties in Auditors do not have access or have limited access to needed information.
obtaining Additionally, the information may not meet quality standards (that is, the data are
not reliable). As the audit findings and conclusions rely greatly on the quality of
quality information and data collected, it is essential to assess the risk of not having access
information to good-quality information and data when planning and conducting an audit.

Insufficient Auditors do not conduct sufficient analysis due to the lack of expertise, audit
analysis criteria or access to information. If due care is exercised during the planning stage,
risks due to a lack of expertise and audit criteria can be mitigated during the audit.

Omission of Auditors do not identify all of the key issues at the planning stage that will be
relevant covered during the audit, fail to consider relevant pieces of evidence or fail to
information or counter important arguments in the audit’s conclusions.
arguments
Presence of
Auditors do not assess whether the risk of fraud is significant within the context of
fraud, abuse of the audit objective(s) and/or fail to communicate fraud and irregularities promptly.
resources If fraud exists, the auditor is encouraged to follow SAI procedures regarding fraud.
and/or irregular
practices
Substantial Auditors do not appropriately handle highly complex and politically sensitive
complexity or topics. This could seriously undermine the credibility of the audit report and the SAI.
political
sensitivities
Source: IDI/PAS Development Team

50
The concept of audit assurance is inseparable from the concept of
audit risk. Performance auditors are not normally expected to provide Audit teams and auditors
have to strive to manage
assurance as an overall opinion, comparable to the opinion on financial audit risk and provide assurance
audits, on the audited entities’ achievement of economy, efficiency by ensuring:

and effectiveness (ISSAI 300/21). • the audit is within the SAI’s

scope of authority, and the
scope is defined in an
The users of an audit report should be confident that the report appropriate manner;
conclusion is reliable and valid. According to GUID 3910/27, reliable
• the human capital with the
and valid information requires that the conclusions on the subject necessary and appropriate skills
matter are logically linked to the audit objective(s) and criteria and are and knowledge are available
within the auditing entity to
supported by sufficient and appropriate evidence. The conclusions execute the audits;
must be written in a way that enhances the degree of confidence of
• the design of the audit
the intended users about the evaluation of the underlying subject effectively accounts for and
manages risks;
matter against criteria.
• there is access to the records
and data needed to perform the
It is important for the auditor to make the links clear between the audit audit;
objectives, criteria, and findings based on solid evidence. This is done
• the records and data are
by being clear on how findings, criteria and conclusions were reliable and complete;
developed in a balanced and reasonable manner and why the
• the level of investment to
combinations of findings and criteria result in a certain overall develop a quality product is
conclusion or set of conclusions. If done properly, the intended users commensurate with risks; and

can be confident about the validity of the conclusions, and the auditor • clear responsibility and
has then provided assurance (GUID 3910/32). The assurance provided accountability for all levels are
established for managing quality
to the intended user has to be communicated transparently. throughout an engagement,
including engagement design,
staffing, stakeholder involvement,
As an auditor, you need to assess audit risk and take steps to provide message development and
assurance. Specifically, you need to: product review.

(1) identify the risks;

Source: IDI/PAS Development Team
(2) assess those risks;
(3) develop and implement strategies to prevent and mitigate the risks; and
(4) monitor audit risk and mitigation strategies throughout the audit and make adjustments
as needed to changing circumstances.

Audit risk and the level of assurance are affected by numerous factors, but particularly
important is your audit team’s ability to:

• develop a quality audit design that comprises the scope of the audit and the
appropriateness of the evidence-gathering procedures;
• sufficiently understand the subject matter to actively manage audit risk and design. The
audit teams have to consider the conditions of the subject matter and the level of
confidence needed by the intended users of the audit report; and

51
• effectively exercise the use of professional judgement and professional scepticism in
assessing risks, as each audit topic is unique. You have to research and learn carefully about
the topic being audited and document your understanding of the subject matter in a way
that provides confidence that you have properly understood it.

More details about assessing and mitigating audit risks are provided in Chapters 4 and 5.

What does communication with audited entities, external stakeholders, media

and the public involve?

The Standard
The auditor shall plan for and maintain effective and proper communication of key aspects of the
audit with the audited entity and relevant stakeholders throughout the audit process.

The auditor shall take care to ensure that communication with stakeholders does not compromise the
independence and impartiality of the SAI.

The SAI shall clearly communicate the standards that were followed to conduct the performance
audit.

The auditor shall, as part of planning and/or conducting the audit, discuss the audit criteria with the
audited entity.

SAIs adopt audit standards, processes and methods that are objective and transparent, including
procedures for obtaining comments on audit findings and recommendations from the audited entity.

Source: ISSAI 3000/55, ISSAI 3000/59, ISSAI 3000/61, ISSAI 3000/49, and INTOSAI-P-20, Principle 3

Your audit team does not work alone in conducting a performance audit. You and your audit
team should maintain effective and proper communication with the audited entities to obtain
the necessary information to conduct your analysis and reach appropriate conclusions. An
audit may focus on one audited entity or several entities. Communication with all relevant
entities involved is important. In addition to consulting with stakeholders internal to your SAI,

52
such as lawyers, methodologists and technical experts, it may also be
Auditors can conduct
useful to enlist the help of those external to the SAI. For example, SAIs effective communication
may contract out work to subject matter experts in trade organisations with the audited entity through:

or research firms for assistance with the audit. However, it is important • face-to-face meetings with
to maintain independence if seeking this type of assistance and not audited entity officials;

allow the expert to inappropriately influence the audit conclusions. • teleconference meetings; and
Lastly, a strategy to outreach to the media and the public may need to
• written communication, such as
be considered (especially for high visibility or controversial audits) for letters and email.
those SAIs who interact with the media about their work.
Audit teams need to meet with
the audited entity or entities at
key points during the audit,
Communicating with audited entities including holding:

• an initial meeting to discuss the

It is important that the audited entities be kept engaged regarding all audit objective, the audit
relevant matters about the audit. This is important for developing a questions, scope and
methodology, information
constructive working relationship and helping to ensure that the audit requirements and timeframes;
team can achieve the audit objective(s) and conduct a high-quality
• working meetings to obtain
audit. Communication can include obtaining information relevant to information and data from the
the audit and providing management and those charged with audited entity(ies) and update
the audited entity on the progress
governance with timely observations about potential findings and of the audit; and
conclusions. SAIs may provide general minimum requirements to their
• a meeting near the end of the
auditors regarding communication with audited entities. For example, audit in which draft audit findings
SAI guidance could direct when auditors have to communicate with are discussed, and there is an
opportunity for the audited entity
audited entities and the type or level of detail to be discussed. Or, for to provide comments and
example, SAI policy and procedures may require that recommendations additional information.

made to an audited agency may not be so prescriptive and detailed that In their communication with the
the SAI might be seen as consultants as opposed to independent and audited entity, it is important for
auditors to:
impartial auditors.
• be professional, respectful,
courteous and receptive; and
It is recommended that your audit team communicate with audited
• ensure that they maintain their
entities at regular intervals throughout the audit. Specifically, your independence and impartiality.
team could:
Source: IDI/PAS Development Team

• begin the communication process with the audited entities at the planning stage of the
audit, and continue throughout the audit. As audited entities may not have prior
knowledge of performance auditing, it is important to introduce the purpose and process
of performance auditing to them;
• engage the audited entities during the early stages of the audit when developing the: audit
subject matter; audit objective(s) and questions; audit criteria; the period to be audited;
and government undertakings, organisations and/or programmes to be included in the
audit. Access to documentation, data, the confidentiality/sensitivity of the information
that will be shared and how it can be used and disclosed in the final audit report are key

53
 matters to discuss with the auditee(s) early in the audit process, preferably during audit
planning;
• hold update meetings with the audited entities throughout the audit process and consider
its feedback. Audits often evolve as the audit team learns more about the topic and
information is obtained and analysed. You should keep the audited entities informed of
any significant changes to the key aspects of the audit, such as any changes to the audit
questions or criteria. Effective communication can help improve your access to
information and data, help gain better insights into the perspectives of the audited
entities; and
• provide the audited entities with an opportunity to comment on the audit findings,
conclusions and recommendations. Additionally, the audited entities’ comments can be
used for correcting factual errors and considering the need to make other changes to the
final reports. The remaining differences of opinions or other important comments, along
with the SAI’s responses, may be published as part of the report.

A sound dialogue throughout the audit process that involves the audited entities is important
in achieving meaningful improvements in governance and may increase the impact of the
audit. In this context, you can maintain constructive interactions with audited entities by
sharing preliminary audit findings and perspectives as they are developed and assessed
throughout the audit. However, remember that you must also always maintain proper
independence and impartiality while effectively communicating and working with audited
entities.

Communicating with external stakeholders

We discussed the importance of the SAI assembling audit teams that collectively have the
knowledge and skills necessary to conduct the audit and consult with stakeholders within the
SAI, such as experts or methodologists, through all audit phases. It is also appropriate to
engage with stakeholders external to the SAI. Potential stakeholders outside your
organisation may include:
• academic and business communities;
• international bodies;
• internal auditors;
• citizens and their representatives;
• research institutions;
• civil society organisations (CSOs);
• professional institutions;
• representatives of vulnerable groups;
• other non-government organisations; and
• legal experts, if expertise does not exist within the SAI.

54
Stakeholder communication is important for both SAI leadership and audit teams. For
example, SAIs needs to cultivate good relations with various organisations to promote
productive collaboration.

In addition, you, the auditor, should strive to maintain good professional relationships with
all stakeholders involved in the audit. In doing so, promote a free and frank flow of
information as far as confidentiality requirements permit and conduct discussions in an
atmosphere of mutual respect and understanding of the respective role and responsibilities
of each stakeholder. While stakeholder communication is important, it is essential that this
communication does not compromise the independence and impartiality of the audit or the
SAI. For example, your SAI may have policies and procedures that dictate the types of details
about the audit or audit documentation that can be shared with stakeholders external to your
SAI.

Communicating with the media and the public

A strategy for outreach to, and communication with, the media may be important to inform
the public of the outcome of audit work. It is good practice to make reports accessible to the
public and other interested stakeholders through the media unless prohibited by legislation
or regulations. Reporting audit results publicly, unless specifically limited, make the results
less susceptible to misunderstanding and facilitates follow-up to determine whether
appropriate corrective actions have been taken. It is important that SAIs make reasonable
efforts to consider the needs of the public and the media in their requests for information
about the SAI’s work. SAIs’ treatment of all media – whether print or electronic, local or
national, domestic or international – should be balanced and equitable.

As an auditor, it is important that you follow your SAI’s guidance or rules concerning
communicating with the media and the public. For example, SAI guidance might direct what
level of officials within the SAI can participate in media interviews.

55
 The principles for conducting a quality performance audit span the entirety of your
work, so remember to always ...
… understand and act in accordance with your … determine the materiality of audit topics and
SAI’s quality control and assurance framework; findings, appropriately document the evidence
and decisions in the audit, and ensure effective
… consider independence, be aware of possible supervision of the audit;
threats to independence, and report them if
necessary; … assess audit risk and put in place strategies to
provide assurance in the audit;
… adhere to all ethical standards and
requirements of your SAI; … plan for and maintain effective and proper
communication of key aspects of the audit with
… exercise sound professional judgement and the audited entity and stakeholders; and
scepticism;
… keep in mind that performance audits require
… ensure your audit team collectively has the significant judgement, interpretation and
necessary professional competence to perform scepticism because evidence associated with
the audit; performance audits is typically persuasive rather
than conclusive, requiring constant reassessment.

Source: IDI/PAS Development Team

56
IDI’s considerations to mainstream inclusiveness and maximise the impact of
performance audits

Besides the general principles coming from the performance audit ISSAIs, we would like to
highlight two cross-cutting considerations for performance audits: audit impact and
inclusiveness. These considerations are not performance audit requirements, i.e. the
performance audit can still be ISSAI complaint if these actions are not carried out. However,
IDI recommends that SAIs mainstream audit impact and inclusiveness considerations
throughout the performance audit process to enhance the value and benefit delivered by the
SAI.

Impact driven performance audit process

IDI describes ‘audit impact’ as the contribution of SAI audit work to long-term positive effects
on people and the planet (a society/on a group/area), especially those left behind. Such audit
impact is achieved through a value chain of SAI outputs and SAI outcomes. Figure 7 is an
illustration of what such value chain could look like in case of performance audits.

Figure 4: Value chain of SAI outputs and SAI outcomes

SAI outputs SAI outcomes SAI contribution to

impact

•Adequate coverage •Legislative follow-up • Enhanced

•Executive action on governance and
•High quality audit
recommendations service delivery
reports issued in a
positively impacting
timely fashion
people and planet
•Extensive outreach
of PA audit report to
diverse stakeholders

While SAIs have control over SAI outputs, there are many factors that affect SAI outcomes
and contribution to impact. SAIs are a part of an ecosystem. The social, economic, political
context in the country and multiple stakeholders such as legislative bodies, executive, civil
society organisations, professional bodies, academia, media etc., play a role in achieving audit
impact.

Though a SAI may not have control over these, a SAI does have influence. To maximize the
possibility of SAI contribution to impact through performance audits, we recommend that the
SAI incorporate audit impact considerations throughout the audit process. This can be done

57
by asking and answering some key questions during different phases of the performance
audit.

Key questions

• What is the envisaged audit impact of this performance audit?

• Will the topic selected contribute to desired audit impact?
• Will the audit design framework lead to desired audit impact?
• Are key stakeholders engaged throughout the audit process?
• Will the audit recommendations lead to a positive impact, including for those left behind?
• Are key messages conveyed to all relevant stakeholders?
• Are there processes in place for appropriate follow-up and facilitation of audit impact?

Source: IDI/PAS Development Team

Some tips for enhancing audit impact are presented below.

Tips for enhancing audit impact

✓ Engage with SAI Leadership

✓ Communicate continuously with audited entities
✓ Create a stakeholder coalition
✓ Communicate the value of your work
✓ Reflect on audit impact throughout the audit process
✓ Follow ISSAIs

Source: IDI/PAS Development Team

Mainstream inclusiveness considerations into performance audits

Millions of people across the world continue to live in poverty and are denied a life of dignity.
There are enormous disparities of opportunity, wealth and power. Gender inequality remains
a key challenge. The current pandemic has sharpened inequalities. People get left behind
when they lack the choices and opportunities to participate in and benefit from government
processes and outcomes. People can be vulnerable and left behind due to many factors like
gender, ethnicity, age, class, disability, sexual orientation, religion, nationality, indigenous,
migratory status, socio-economic status, geographical remoteness, conflict etc. In each
national context, it is important for those charged with governance to ensure that
government policies, programmes and institutions are inclusive and responsive to the needs
of the marginalised.

58
Inclusion of the marginalised is important in both outcomes and decision-making processes
of government. As performance audit seeks to contribute to effective governance and service
delivery, it is important to examine if those charged with governance have been inclusive and
responsive to the needs of marginalised groups in their national context.

You can examine inclusiveness in performance audits by:

• Examining inclusiveness as a part of every performance audit topic. For example, in

auditing strong and resilient national public health systems, one of the topics examined
could be the preparedness of such systems to respond to the needs of marginalised sectors
of the population during an emergency. For example, people with disabilities, migrants and
refugee populations.
• Selecting topics that directly impact the marginalised. Based on national priorities, you
can decide to select high priority topics that directly impact the marginalised. For example,
if you are in a country with very high rates of violence against women, you could select the
elimination of violence against women as a performance audit topic.
• Engaging with stakeholders and beneficiaries from marginalised sectors. The audit
process itself can be inclusive by engaging with civil society organisations (CSO) that
represent relevant marginalised groups or reaching out to the marginalised sectors. Such
engagement would have many benefits, such as contributing to a better understanding of
the subject matter, ensuring that the voices of these sectors are heard and considered in
all phases of the audit. Such engagement would also be beneficial for the ability to
formulate relevant audit recommendations.
• Understanding the impact of the audit on marginalised sectors. Inclusiveness could also
be considered in understanding the impact of your audit. What difference will your audit
make to the marginalised sectors?
• Communicate key messages from your audits to create greater awareness of issues faced
by the marginalised sectors.

Questions you could ask to examine inclusiveness

✓ How are marginalised groups identified by the government and considered in the implementation of
policies?
✓ Who is being left behind, and what are the underlying reasons for their vulnerability?
✓ What disaggregated sources of data are available, and what are the data gaps?
✓ What actions are being taken to determine the needs of the marginalised?
✓ How does the government ensure that marginalised groups are included in decision-making processes?
✓ How does government ensure that marginalised groups are informed about government decisions and
actions?
✓ What action has the government taken on SAI recommendations related to marginalised and
vulnerable populations?

Source: IDI/PAS Development Team

59