ISSAI3000

Performance Audit
Standard

INTOSAI Standards are issued

by the International
Organisation of Supreme Audit
Institutions, INTOSAI, as part of
the INTOSAI Framework of
Professional Pronouncements.
For more information visit
INTOSAI www.issai.org
 INTOSAI

INTOSAI, 2019
1) Endorsed as Standards and guidelines for performance auditing based
on INTOSAI´s Auditing Standards and practical experience in 2001
2) Endorsed as Standard for Performance Auditing in 2016
3) With the establishment of the Intosai Framework of Professional
Pronouncements (IFPP), renamed to Performance Audit Standard with
editorial changes in 2019

ISSAI 3000 is available in all INTOSAI official languages: Arabic, English,

French, German and Spanish
TABLE OF CONTENTS
1. INTRODUCTION 4

2. SCOPE OF THIS ISSAI 6

3. DEFINITION OF PERFORMANCE AUDITING 8

4. GENERAL REQUIREMENTS FOR PERFORMANCE AUDITING 9

Independence and ethics 9
Intended users and responsible parties 10
Subject matter 11
Confidence and assurance in performance auditing 12
Audit objective(s) 12
Audit approach 13
Audit criteria 14
Audit risk 15
Communication 16
Skills 17
Supervision 18
Professional judgment and scepticism 19
Quality control 21
Materiality 21
Documentation 22

5. REQUIREMENTS RELATED TO THE PERFORMANCE

AUDITING PROCESS 23
Planning – selection of topics 23
Planning - designing the audit 24
Conducting 26
Reporting 28
Follow-up 32
1 INTRODUCTION

1) Professional standards and guidelines are essential for the credibility, quality
and professionalism of public-sector auditing. The ISSAI 3000 Performance
Audit Standard developed by the International Organisation of Supreme
Audit Institutions (INTOSAI) aims to promote independent and effective
auditing and support the members of INTOSAI in the development of their
own professional approach in accordance with their mandates and with
national laws and regulations.

2) ISSAI 100 Fundamental Principles of Public-Sector Auditing, amongst other

things, defines the purpose and authority of ISSAIs. ISSAI 300 - Performance
Audit Principles builds on and further develops the fundamental principles of
ISSAI 100 to suit the specific context of performance auditing. ISSAI 3000 is
the International standard for performance auditing and should be read and
understood in conjunction with ISSAI 100 and ISSAI 300.

3) ISSAI 3000 is the authoritative standard for performance auditing and

consequently each requirement must be complied with if an SAI chooses
to adopt it. It provides requirements for the professional practice of
performance auditing followed by explanations in order to enhance the
clarity and readability of the standard.

4) Requirements are “shall” statements presented in bold. They contain the

mandatory content necessary to produce the high quality audit work for
those Supreme Audit Institutions (SAIs) that choose to make reference to
the ISSAIs in their work. They tell auditors what is expected of them and to

4
ISSAI 3000 - PERFORMANCE AUDIT STANDARD

stakeholders what they can expect from the audit work. Explanations describe
in more detail what a requirement means or is intended to cover.

5) Other pronouncements (GUID 3900-3999) provide non-mandatory guidance.

GUID 3910 - Central Concepts for Performance Auditing provides guidance
related to audit concepts, while GUID 3920 - The Performance Auditing Process
provides guidance related to the audit process. The first document contains
clarifications on requirements, while the second contains descriptions on how
to implement those requirements.

6) In public-sector auditing the role of the auditor is fulfilled by the Head of the SAI
and by people to whom the task of conducting the audits is delegated, which
comprises the audit team and those in charge of supervision and management.
The overall responsibility for public-sector auditing remains as defined by the
SAI’s mandate (ISSAI 100/25). ISSAI 3000 uses the term ‘the auditor’ and defines
what is required by the auditor for conducting high quality audits. Where
institutional issues are involved, reference is also made to the SAI.

7) ISSAI 3000 is structured largely in the same order as ISSAI 300 and consists of
four main sections:

a) The first section establishes the scope of the Performance Audit

Standard and how reference to it can be made by SAIs.

b) The second section defines performance auditing and its objectives, as

well as the principles underlining the concept of performance.

c) The third section consists of general requirements for performance

auditing. These requirements shall be considered before starting and
throughout the audit process.

d) The fourth section contains requirements related to the main stages of

the audit process.

5
2 SCOPE OF THIS ISSAI

8) This document provides the International Standard for Performance Auditing.

According to ISSAI 300/6-8, SAIs wishing to make reference to the ISSAIs
relating to performance auditing can do so in two ways:

a) Option 1: by developing authoritative standards that are based on or

consistent with the Performance Audit Principles, or

b) Option 2: by adopting the International Standards of Supreme Audit

Institutions on Performance Auditing (ISSAI 3000-3899).

9) Under option 1, INTOSAI recognises that SAIs have contrasting mandates and
work under different conditions. Due to the varied situations and structural
arrangements of SAIs, not all auditing standards or guidelines may apply to
all aspects of their work. Standards developed by the SAI or by a national
standard-setter can achieve the principles of ISSAI 300 in different ways,
given the national mandate, constitutional and other legal environment, and
the strategy of the SAI.

10) Therefore, ISSAI 3000 is not meant to be read as a prescription of how

SAIs´ standards should be formulated. SAIs have the option of developing
authoritative standards that are either based on, or consistent with the
Performance Audit Principles. If an SAI chooses to develop its own standards,
those standards should include the level of detail necessary to accomplish
the SAI’s relevant audit functions and should correspond to the Performance
Audit Principles in all applicable and relevant aspects.

6
ISSAI 3000 - PERFORMANCE AUDIT STANDARD

11) Under option 2, when considering the adoption of ISSAI 3000, it is useful to
bear in mind that while a principle can be achieved in different systems by
different means, a standard needs to be complemented with an appropriate
level of detail to guide the auditor to follow good practices when conducting a
performance audit. Supplementary performance audit guidance (GUIDs 3900-
3999) provide guidancefor performance auditing that can be used directly, or
as basis for developing own guidelines.

12) This standard in no way overrides national laws, regulations or mandates, or

prevents SAIs from carrying out investigations, reviews or other engagements
that are not specifically covered by ISSAI 3000.

13) ISSAI 3000 provides the standard for those SAIs that choose to adopt it as their
authoritative standard for performance audit and make direct reference to it.
In such cases, the auditor and the SAI shall comply with each requirement of
this standard unless, in the circumstances of the audit, the requirement is not
relevant because it is conditional and the condition does not exist. If not all
relevant requirements have been fulfilled, reference to this standard shall not
be made without disclosure of that fact and further explanations about the
consequences thereof.

14) When an SAI chooses to make direct reference to this standard the reference
should be worded as provided for in ISSAI 100/10-12 and ISSAI 300/8.

15) Performance auditing can deal with a wide variety of subject matters and research
methods. As a result, the level of detail of the requirements allows for flexibility
and leaves enough room for different audit approaches. Therefore users of ISSAI
3000 are also encouraged to make full use of the related guidance for specific
subject matters. Audits may be conducted in accordance with both ISSAI 3000
and standards from other sources, provided that no contradictions arise. In those
cases, reference should be made both to such standards and to ISSAI 3000.

16) Elements of performance auditing can be part of a more extensive audit that
also covers compliance and financial auditing aspects. When dealing with
overlaps between audit types (or combined audits) the auditor needs to
observe all relevant standards and consider that where there are different
priorities, the primary objective of the audit guides the auditor as to which
standards to apply.

7
3 DEFINITION OF
PERFORMANCE AUDITING

17) Performance auditing carried out by SAIs is an independent, objective

and reliable examination of whether government undertakings, systems,
operations, programmes, activities or organizations are operating in
accordance with the principles of economy, efficiency and/or effectiveness
and whether there is room for improvement.

18) Performance auditing aims to contribute to improved economy, efficiency

and effectiveness in the public sector. It also aims to contribute to good
governance, accountability and transparency. Performance auditing seeks
to provide new information, analysis or insights and, where appropriate,
recommendations for improvement.

19) Performance auditing often includes an analysis of the conditions that

are necessary to ensure that the principles of economy, efficiency and
effectiveness can be upheld.

20) Further information on the definitions of economy, efficiency and

effectiveness, and the ways performance auditing provides new information
can be found in the GUID 3910.

8
4 GENERAL REQUIREMENTS
FOR PERFORMANCE
AUDITING

INDEPENDENCE AND ETHICS

Requirement

21) The auditor shall comply with the SAI’s procedures for independence and
ethics, which in turn shall comply with the related ISSAIs on independence
and ethics.

Explanation

22) Independence comprises independence in fact and independence in

appearance. Independence in fact allows the auditor to perform activities
without being affected by influences that compromise professional judgment;
to act with integrity and exercise objectivity and professional scepticism.
Independence in appearance is the absence of circumstances that would
cause a reasonable and informed stakeholder, having knowledge of relevant
information, to reasonably doubt the integrity, objectivity or professional
scepticism of the auditor, or conclude that they have been compromised.
Additional content on independence is contained in INTOSAI-P 10 - Mexico
Declaration on SAI Independence and GUID 9030 - Good Practices Related to
SAI Independence, and on ethics, in ISSAI 130 - Code of Ethics.

Requirement

23) The auditor shall take care to remain independent so that the audit findings
and conclusions are impartial and will be seen as such by the intended users.

9
ISSAI 3000 - PERFORMANCE AUDIT STANDARD

Explanation

24) The auditor must consider specific risks to independence that may be present
in performance audits. The auditor has a particular role in identifying audit
criteria, measuring against them, and formulating a balanced audit report.
In this regard, the auditor needs to remain independent so that the audit
report is impartial and the ethical behaviour of the audit team is safeguarded.
It is also important to consider the positions of relevant stakeholders, and
their interests, and to establish open and good communication with them
nevertheless it is essential to guard one’s independence.

INTENDED USERS AND RESPONSIBLE PARTIES

Requirement

25) The auditor shall explicitly identify the intended users and the responsible
parties of the audit and throughout the audit consider the implication of
these roles in order to conduct the audit accordingly.

Explanation

26) The intended users are the persons for whom the auditor prepares the
performance audit report. The legislature, executive, government agencies, third
parties concerned by the audit report, and the public can all be intended users.

27) The role of a responsible party may be shared by a range of individuals or

entities, each with responsibility for a different aspect of the subject matter.
The responsible party may include those responsible for the subject matter
being audited in an operative and/or supervisory role but can also refer to
those responsible for addressing the recommendations and initiating the
changes required. A responsible party may also be an intended user, but it
will typically not be the only one.

28) It is also important to consider the needs and interests of the intended users
and responsible parties. By doing so the auditor can ensure that the audit
report is most useful and understandable to these entities. This should,

10
ISSAI 3000 - PERFORMANCE AUDIT STANDARD

however, in no way undermine the independence and objective attitude of

the auditor who remains responsible for a well-balanced audit approach
pursuing the public interest.

SUBJECT MATTER

Requirement

29) The auditor shall identify the subject matter of a performance audit.

Explanation

30) The subject matter relates to the question “what is audited” and is defined in
the audit scope. The subject matter of a performance audit may be specific
programmes, undertakings, systems, entities or funds and may comprise
activities (with their outputs, outcomes and impacts) or existing situations,
including causes and consequences. The audit scope is the boundary of the
audit and is directly tied to the audit objectives. The audit scope defines the
subject matter that the auditor will assess and report on, the documents or
records to be examined, the period reviewed, and the locations that will be
included.

31) Many topics in performance auditing are politically sensitive because they
may relate to the performance of public programmes prioritized by the
government. Performance auditing examines whether decisions by the
legislature or the executive are efficiently and effectively prepared and
implemented, and whether taxpayers or citizens have received value for
money. It does not question the intentions and decisions of the legislature,
depending on the SAI´s mandate, but examines whether any shortcomings of
the laws and regulations or their implementation have prevented the specified
audit objectives from being achieved.

11
ISSAI 3000 - PERFORMANCE AUDIT STANDARD

CONFIDENCE AND ASSURANCE IN PERFORMANCE AUDITING

Requirement

32) The auditor shall communicate assurance about the outcome of the audit of
the subject matter against criteria in a transparent way.

Explanation

33) Assurance means that users can be confident in the findings, conclusions and
recommendations in the report. The auditor provides the users with assurance
by explaining how findings, criteria and conclusions were developed in a
balanced and reasoned manner, and why the findings result in the conclusions.

34) The auditor needs to transparently communicate the audit objective(s), scope,
methodology and data gathered and any significant limitations in the report
so that users will not be misled.

AUDIT OBJECTIVE(S)

Requirement

35) The auditor shall set a clearly-defined audit objective(s) that relates to the
principles of economy, efficiency and/or effectiveness.

36) The auditor shall articulate the audit objective(s) in sufficient detail in order
to be clear about the questions that will be answered and to allow logical
development of the audit design.

37) If the audit objective(s) is formulated as audit questions and broken down
into sub-questions, then the auditor shall ensure that they are thematically
related, complementary, not overlapping and collectively exhaustive in
addressing the overall audit question.

12
ISSAI 3000 - PERFORMANCE AUDIT STANDARD

Explanation

38) An audit objective(s) can be thought of as audit questions about the subject
matter on which the auditor seeks to obtain answers, based on the audit
evidence obtained. A well-defined audit objective(s) relates to government
undertakings, systems, operations, programmes, activities or organizations
that are related to the subject matter. The formulation of audit questions is an
iterative process in which the questions are repeatedly specified and refined,
account being taken of known relevant information on the subject as well as
feasibility.

39) Many audit objectives can be framed as an overall audit question, which can
be broken down into sub-questions that are more precise. Instead of defining
a single audit objective or overall audit question, the auditor may choose to
develop several audit objectives, which need not always be broken down into
questions and sub-questions.

AUDIT APPROACH

Requirement

40) The auditor shall choose a result-, problem or system-oriented audit

approach, or a combination thereof.

Explanation

41) The audit approach determines the nature of the examination to be made
and is an important link between the audit objective(s), audit criteria and the
work done to collect the evidence.

42) A system-oriented approach examines the proper functioning of management

systems. Frequently, elementary principles of good management will be
helpful in examining the conditions for efficiency or effectiveness even when
there is a lack of a clear consensus on a problem or when outcomes or outputs
are not clearly stated.

13
ISSAI 3000 - PERFORMANCE AUDIT STANDARD

43) A result-oriented approach assesses whether outcome or output objectives

have been achieved as intended or programmes and services are operating
as intended. It can be used most easily when there is a clear statement of
desired outcomes or outputs (e.g. in the law or a strategy decided upon by
the responsible parties).

44) A problem-oriented approach examines, verifies and analyses the causes of

particular problems or deviations from audit criteria. It can be used when
there is a clear consensus on a problem, even if there is no clear statement
of the desired outcomes or outputs. Conclusions and recommendations are
primarily based on the process of analysing and confirming causes rather than
comparing audit evidence with audit criteria.

AUDIT CRITERIA

Requirement

45) The auditor shall establish suitable audit criteria, which correspond to the
audit objective(s) and audit questions and are related to the principles of
economy, efficiency and/or effectiveness.

Explanation

46) Audit criteria are the benchmarks used to evaluate the subject matter. In
audits covering complex issues, it is not always possible to set audit criteria in
advance. The auditor might find more detailed audit criteria during the audit
process e.g. being aware of best practice among comparable public entities.
Whereas in other audit types there can be unequivocal audit criteria, this is
not typically the case in performance auditing. Audit criteria are not always
readily available to the auditor in performance auditing; they are typically
based on knowledge of best practice on how activities are carried out to be
most economical and efficient (or what conditions are the most favourable
for good performance and effectiveness). It is essential to have suitable audit
criteria for assuring the quality of a performance audit, particularly since, in
many cases, clarifying and developing these audit criteria might be part of the
value added by the performance audit.

14
ISSAI 3000 - PERFORMANCE AUDIT STANDARD

47) The audit criteria can be qualitative or quantitative and may be general or
specific, focusing on what is expected, according to sound principles, scientific
knowledge and best practice; or on what could be (given better conditions) or
on what should be according to laws, regulations or objectives.

48) The audit criteria need to provide an appropriate and reasonable basis
for assessing against audit objectives. Audit criteria have to be relevant,
understandable, complete, reliable, and objective in the context of the subject
matter, the audit objective(s) and/or the audit questions.

Requirement

49) The auditor shall, as part of planning and/or conducting the audit, discuss
the audit criteria with the audited entity.

Explanation

50) The audit criteria has to be discussed with the audited entity, but it is ultimately
the auditor’s responsibility to select suitable audit criteria.

51) Discussing the audit criteria with the audited entity serves to ensure that there
is a shared and common understanding of what quantitative and qualitative
audit criteria will be used as benchmarks when evaluating the subject matter.
This is particularly important when the audit criteria are not defined directly
by laws or other authoritative documents, or the audit criteria have to be
developed and refined throughout the course of the audit work.

AUDIT RISK

Requirement

52) The auditor shall actively manage audit risk to avoid the development of
incorrect or incomplete audit findings, conclusions, and recommendations,
providing unbalanced information or failing to add value.

15
ISSAI 3000 - PERFORMANCE AUDIT STANDARD

Explanation

53) Actively managing audit risk includes the following: anticipating the possible
or known risks of the work envisaged, developing audit approaches to address
those audit risks during audit planning and the selection of methods, and
documenting how those risks will be handled.

54) Actively managing audit risk also includes considering whether the audit
team has sufficient and appropriate competence to conduct the audit, has
adequate access to accurate, reliable and relevant good quality information,
has considered any new information that is available, and has considered
alternative perspectives.

COMMUNICATION

Requirement

55) The auditor shall plan for and maintain effective and proper communication
of key aspects of the audit with the audited entity and relevant stakeholders
throughout the audit process.

Explanation

56) Effective communication is important, because establishing good two-way

communication with the audited entity and stakeholders can help improve the
auditor’s access to information and data, and may help the auditor gain better
insights into the perspectives of the audited entity and the stakeholders.

57) The key audit aspects that the auditor needs to communicate to the audited
entity include; the audit subject matter, audit objective(s) and/or audit
questions, audit criteria, the time period to be audited, and the government
undertakings, organizations and/or programmes to be included in the audit.

58) A sound dialogue throughout the audit process with the audited entity involved
is pivotal in achieving real improvements in governance and may increase the
impact of the audit. In this context, the auditor can maintain constructive

16
ISSAI 3000 - PERFORMANCE AUDIT STANDARD

interactions with the audited entity by sharing audit findings, arguments and
perspectives as they are developed and assessed throughout the audit.

Requirement

59) The auditor shall take care to ensure that communication with stakeholders
does not compromise the independence and impartiality of the SAI.

Explanation

60) It is important for the auditor to maintain good professional relationships with all
stakeholders involved in the audit, promote a free and frank flow of information
as far as confidentiality requirements permit, and conduct discussions in an
atmosphere of mutual respect and understanding of the respective role and
responsibilities of each stakeholder. However, these communications must not
affect the independence and impartiality of the SAI.

Requirement

61) The SAI shall clearly communicate the standards that were followed to
conduct the performance audit.

Explanation

62) The SAI either needs to include a reference to the standard that was followed
when conducting each performance audit in the related audit report, or may
choose a more general form of communication by covering a defined range
of engagements in a statement in an annual report or on the SAI’s website.
When the standard followed is based on several sources taken together, this
also needs to be communicated.

SKILLS

Requirement

63) The SAI shall ensure that, the audit team collectively has the necessary
professional competence to perform the audit.

17
ISSAI 3000 - PERFORMANCE AUDIT STANDARD

Explanation

64) Professional competence in performance auditing includes having sound

knowledge of auditing, research design, social science methods and
investigation or evaluation techniques. It also includes personal abilities such
as analytical capacity, writing skills and communication skills, creativity and
receptiveness to views and arguments. Performance auditing also requires
sound knowledge of government organizations, programmes, and functions
related to the subject matter of the audit, and may require expertise in social,
physical, computer, or other sciences, as well as legal expertise.

65) If the auditor determines that external expertise is required to complement

the knowledge of the audit team then the auditor may consult, as appropriate,
with individuals, within and outside the SAI, who have this specialized
expertise. Any external experts engaged with the audit also need to be
independent from situations and relationships that could impair the external
experts’ objectivity. Although the auditor may use the work of experts as
audit evidence, the auditor retains full responsibility for the audit work and
the conclusions in the audit report.

SUPERVISION

Requirement

66) The SAI shall ensure that the work of the audit staff at each level and audit
phase is properly supervised during the audit process.

Explanation

67) Audit supervision involves providing sufficient guidance and direction to the
audit team assigned to the audit. The auditor who supervises the audit would
be expected to have competence and knowledge in audit methodologies;
planning and monitoring work; project management; strategic thinking;
foresight and problem solving. The level of supervision provided by the auditor
may vary depending upon the proficiency and experience of the audit team
and the complexity of the subject matter of the audit.

18
ISSAI 3000 - PERFORMANCE AUDIT STANDARD

PROFESSIONAL JUDGMENT AND SCEPTICISM

Requirement

68) The auditor shall exercise professional judgment and scepticism and consider
issues from different perspectives, maintaining an open and objective
attitude to various views and arguments.

Explanation

69) Performance audits require significant judgment and interpretation because

audit evidence for this type of audit is more persuasive than conclusive in
nature.

70) Professional judgment refers to the application of collective knowledge, skills,

and experience to the audit process. Using professional judgment helps the
auditor determine the level of understanding needed for the audit subject
matter. It involves the exercise of reasonable care in the conduct of the audit
and the diligent application of all relevant professional standards and ethical
principles.

71) Professional scepticism means maintaining professional distance from the

audited entity and an alert and questioning attitude when assessing the
sufficiency and appropriateness of the audit evidence obtained throughout
the audit.

72) Exercising professional judgment and scepticism allows the auditor to be

receptive to a variety of views and arguments and better able to consider
different perspectives, maintain objectivity, and evaluate the full range of audit
evidence. It also helps to ensure that the auditor avoids errors of judgment or
cognitive bias and draws objective conclusions based on a critical assessment
of all of the audit evidence collected.

Requirement

73) The auditor shall assess the risk of fraud when planning the audit and be
alert to the possibility of fraud throughout the audit process.

19
ISSAI 3000 - PERFORMANCE AUDIT STANDARD

Explanation

74) The auditor needs to identify and assess the risks of fraud relevant to the
audit objectives. If the risk of fraud is significant, it is important during the
audit for the auditor to obtain a good understanding of the relevant internal
control systems and examine whether there are any signs of irregularities
that could hamper performance. The auditor needs to make enquiries and
perform procedures to identify and respond to the risks of fraud relevant to
the audit objectives.

Requirement

75) The auditor shall maintain a high standard of professional behaviour.

Explanation

76) Professional behaviour means that the auditor must 1) apply high professional
standards in carrying out the work competently and with impartiality, 2) not
undertake work he/she is not competent to perform, 3) know and follow
applicable laws, regulations, conventions, policies, procedures and practices,
4) possess a good understanding of the constitutional, legal and institutional
principles and standards governing the operations of the audited entity, 5)
not engage in behaviour that may discredit the SAI, 6) comply with ethical
principles and requirements.

Requirement

77) The auditor shall be willing to innovate throughout the audit process.

Explanation

78) By being creative, flexible, and resourceful, the auditor will be in a better
position to identify opportunities to develop innovative audit approaches for
collecting, interpreting, and analysing information. It is important to recognize
that different stages of the audit process provide different levels of innovation
opportunities. During the planning stage, the auditor may have the greatest
opportunity to innovate while still in the process of determining the best audit
approaches and techniques applicable to the audit.

20
ISSAI 3000 - PERFORMANCE AUDIT STANDARD

QUALITY CONTROL

Requirement

79) The SAI shall establish and maintain a system to safeguard quality, which the
auditor shall comply with to ensure that all requirements are met, and place
emphasis on appropriate, balanced, and fair audit reports that add value
and answer the audit questions.

Explanation

80) In establishing a quality control and assurance system (QCA), the SAI can use
the content provided by ISSAI 140, which offers a framework for developing
such a system. It is important to develop QCA policies and procedures that
are adequate, flexible and easy to manage. It is also important to develop
consistent policies and procedures that are communicated to all staff, which
can be used to resolve differences of opinion between supervisors and audit
teams. In addition, other guidance and on-the job training may need to be
developed to complement the quality control mechanisms.

81) Measures that safeguard the quality of the audit process and the audit report
will be effective if they can ensure that the audit provides a balanced and
unbiased view, adds value, considers all relevant viewpoints and satisfactorily
addresses the audit questions.

82) An effective QCA system will also have mechanisms to take into account the
audit team’s perspectives ensuring that audit teams are open to feedback
received from the quality control and assurance system.

MATERIALITY

Requirement

83) The auditor shall consider materiality at all stages of the audit process,
including the financial, social and political aspects of the subject matter with
the goal of delivering as much added value as possible.

21
ISSAI 3000 - PERFORMANCE AUDIT STANDARD

Explanation

84) Materiality can be defined as the relative importance (or significance) of

a matter within the context in which it is being considered. In addition to
monetary value, materiality includes issues of social and political significance,
compliance, transparency, governance and accountability. It is important for
the auditor to keep in mind that materiality can vary over time and can depend
on the perspective of the intended users and responsible parties.

85) Materiality is an important consideration for different aspects of the

performance audit, such as, defining the objective, audit criteria, evaluating
the audit evidence, creating documentation, and managing the risks of
producing inappropriate or low-impact audit findings or audit reports.

DOCUMENTATION

Requirement

86) The auditor shall document the audit in a sufficiently complete and detailed
manner.

Explanation

87) Adequate documentation is important to provide a clear understanding of

the audit work carried out, to enable an experienced auditor with no prior
knowledge of the audit to understand the nature, timing, scope and results
of the audit work performed and the audit evidence obtained to support the
audit findings, conclusions and recommendations, and the reasoning behind
all significant matters that required the exercise of professional judgment.

88) It is important for the auditor to prepare the audit documentation in a timely
manner; keep it up to date throughout the course of the audit; and complete
the documentation, to the extent possible, before the audit report is issued.

22
5 REQUIREMENTS RELATED TO THE
PERFORMANCE AUDITING
PROCESS

PLANNING – SELECTION OF TOPICS

Requirement

89) The auditor shall select audit topics through the SAI’s strategic planning
process by analysing potential topics and conducting research to identify
audit risks and problems.

90) The auditor shall select audit topics that are significant and auditable, and
consistent with the SAI’s mandate.

91) The auditor shall conduct the process of selecting audit topics with the aim
of maximising the expected impact of the audit while taking account of
audit capacities.

Explanation

92) The SAI´s strategic planning process may be understood as the first step in
topic selection because it comprises the analysis of potential areas for audit
and defines the basis for the efficient allocation of audit resources.

93) During the strategic planning process, techniques such as risk analysis
or problem assessments can help structure the process but need to be
complemented by professional judgment to reflect the SAI´s mandate and to
ensure that significant and auditable audit topics are selected.

23
ISSAI 3000 - PERFORMANCE AUDIT STANDARD

94) Auditability is an important requirement in the planning process. It defines

whether a topic is suitable for an audit. The auditor might have to consider, for
instance, whether there are relevant audit approaches, methodologies, and audit
criteria available and whether the information required is likely to be available and
can be obtained efficiently. If the auditor determines that reliable information is
not available then this may itself be a reason for selecting this area for an audit.

95) Since the SAI may have limited audit capacities in terms of human resources
and professional skills, the audit topic selection process must consider the
potential impact of the audit topic in providing important benefits for public
finance and administration, the audited entity, or the general public with the
resources available. Other aspects to be considered in topic selection are
the results and recommendations of previous audits or examinations, and
conditions in terms of timing.

PLANNING - DESIGNING THE AUDIT

Requirement

96) The auditor shall plan the audit in a manner that contributes to a high-quality
audit that will be carried out in an economical, efficient, effective and timely
manner and in accordance with the principles of good project management.

Explanation

97) To accomplish a high-quality audit within a limited timeframe the auditor needs
to consider the performance audit as a project in the sense that it involves
planning, organizing, securing, managing, leading, and controlling resources to
achieve specific goals. Managing the performance audit as a project requires
the development of project management methodologies and strategies.

Requirement

98) The auditor shall acquire substantive and methodological knowledge during
the planning phase.

24
ISSAI 3000 - PERFORMANCE AUDIT STANDARD

Explanation

99) To ensure the audit is properly planned, the auditor needs to acquire sufficient
knowledge of the audited programme or audited entity’s business before the
audit is launched. Therefore, before starting the audit, it is generally necessary
to conduct research work for building knowledge, testing various audit designs
and checking whether the necessary data are available. This preliminary work
can be called pre-study.

100) It is important to develop a sound understanding of the audited programme

or the audited entity’s business, as well as its context and possible impacts to
facilitate the identification of significant audit issues and to fulfil assigned audit
responsibilities. Performance audit is a learning process involving adaptation
of methodology, as part of the audit itself.

Requirement

101) During planning, the auditor shall design the audit procedures to be used
for gathering sufficient and appropriate audit evidence that respond to the
audit objective(s) and question(s).

Explanation

102) The audit plan is designed to ensure the gathering of sufficient and appropriate
audit evidence that will allow the auditor to develop audit findings, conclusions,
and recommendations in response to the audit objective(s) and audit questions.

103) It is also desirable that planning allow for flexibility, so that the auditor
can benefit from insights obtained during the course of the audit. Practical
considerations such as the availability of data may restrict the choice of
methods previously considered according with best practices. It is therefore
advisable to be flexible and pragmatic in this respect.

Requirement

104) The auditor shall submit the audit plan to the audit supervisor and SAI’s
senior management for approval.

25
ISSAI 3000 - PERFORMANCE AUDIT STANDARD

Explanation

105) The SAI’s senior and operational management as well as the audit team need
to be fully aware of the overall audit design. Decisions on audit design and its
consequences in terms of resources will often involve the senior management
of the SAI, who can ensure that skills, resources and capacities are in place to
address the audit objectives and the audit questions.

CONDUCTING

Requirement

106) The auditor shall obtain sufficient and appropriate audit evidence in order
to establish audit findings, reach conclusions in response to the audit
objective(s) and audit questions and issue recommendations when relevant
and allowed by the SAI´s mandate.

Explanation

107) Audit evidence should be both sufficient (quantity) and appropriate (quality)
to persuade a knowledgeable person that the audit findings are reasonable.

108) Sufficiency is a measure of the quantity of audit evidence used to support the
audit findings and conclusions. In assessing the sufficiency of audit evidence,
the auditor should determine whether enough audit evidence has been
obtained to persuade a knowledgeable person that the audit findings are
reasonable. Appropriateness refers to the quality of audit evidence. It means
that the audit evidence should be relevant, valid and reliable.

109) Relevance refers to the extent to which the audit evidence has a logical
relationship with, and importance to, the audit objective(s) and audit questions
being addressed.

110) Validity refers to the extent to which the audit evidence is a meaningful or
reasonable basis for measuring what is being evaluated. In other words,
validity refers to the extent to which the audit evidence represents what it

26
ISSAI 3000 - PERFORMANCE AUDIT STANDARD

is purported to represent. Reliability refers to the extent to which the audit

evidence is supported by corroborating data from a range of sources, or
produces the same audit findings when tested repeatedly.

111) In a performance audit, the nature of the required audit evidence is

determined by the subject matter, the audit objective(s) and the audit
questions. Because of this variation, the nature of the audit evidence needs
to be specified for the individual audit.

Requirement

112) The auditor shall analyse the collected information and ensure that the audit
findings are put in perspective and respond to the audit objective(s) and audit
questions; reformulating the audit objective(s) and audit questions as needed.

Explanation

113) The analytical process in performance auditing involves continuous

consideration by the auditor of the audit questions, audit evidenced gathered,
and methods employed. The whole process is closely linked to that of drafting
the audit report, which can be seen as an essential part of the analytical
process culminating in answers to the audit questions.

114) When analysing collected information, it is recommended to focus on the audit

question and audit objective(s). This will help to organize data and also provide
the focus for analysis. Because the analytical process is iterative, the auditor may
need to revisit the audit objective(s) in the light of the insights obtained during
the audit and revise it in accordance with the necessary internal procedures.

115) Based on the audit findings, the auditor will reach a conclusion. Formulating
conclusions may also require a significant measure of the auditor´s professional
judgment and interpretation in order to answer the audit questions. This
would also depend upon the sensitivity and materiality of the audit issue under
consideration. It is necessary to consider the context and all relevant arguments,
pros and cons, and different perspectives before conclusions can be drawn. The
need for precision is to be weighed against what is reasonable, economical and
relevant to the purpose. The involvement of senior management is recommended.

27
ISSAI 3000 - PERFORMANCE AUDIT STANDARD

REPORTING

Requirement

116) The auditor shall provide audit reports, which are a) comprehensive, b)
convincing, c) timely, d) reader friendly, and e) balanced.

Explanation

117) To be comprehensive, an audit report needs to include all the information and
arguments needed to address the audit objective(s) and audit questions, while
being sufficiently detailed to provide an understanding of the subject matter
and the audit findings and conclusions. Due to the diverse topics possible
in a performance audit, the content and structure of the audit report will
vary. Typically, for reasons of transparency and accountability, the minimum
content of a performance audit report includes the:

a) subject matter,

b) audit objective(s) and/or audit questions,

c) audit criteria and its sources,

d) audit-specific methods of data gathering and analysis applied,

e) time period covered,

f) sources of data,

g) limitations to the data used,

h) audit findings,

i) conclusions and recommendations, if any.

28
ISSAI 3000 - PERFORMANCE AUDIT STANDARD

118) To be convincing, an audit report needs to be logically structured and present

a clear relationship between the audit objective(s) and/or audit questions,
audit criteria, audit findings, conclusions and recommendations. It also needs
to present the audit findings persuasively, address all relevant arguments to
the discussion, and be accurate. Accuracy requires that the audit evidence
presented and all the audit findings and conclusions are correctly portrayed.
Accuracy assures readers that what is reported is credible and reliable.

119) Being timely requires that an audit report needs to be issued on time in order
to make the information available for use by management, government, the
legislature and other interested parties.

120) To be reader friendly, the auditor needs to use simple language in the audit
report to the extent permitted by the subject matter. Other qualities of a reader-
friendly audit report include the use of clear and unambiguous language,
illustrations and conciseness to ensure that the audit report is no longer than
needed, which improves clarity and helps to better convey the message.

121) Being balanced means that the audit report needs to be impartial in content
and tone. All audit evidence needs to be presented in an unbiased manner.
The auditor needs to be aware of the risk of exaggeration and overemphasis
of deficient performance. The auditor needs to explain causes and the
consequences of the problems in the audit report because it will allow the
reader to better understand the significance of the problem. This will in turn
encourage corrective action and lead to improvements by the audited entity.

Requirement

122) The auditor shall identify the audit criteria and their sources in the audit
report.

Explanation

123) Audit criteria and their sources must be identified in the audit report because
the intended users’ confidence in the audit findings and conclusions depends
largely on the audit criteria. In performance audits, a wide variety of sources
can be used to identify audit criteria.

29
ISSAI 3000 - PERFORMANCE AUDIT STANDARD

Requirement

124) The auditor shall ensure that the audit findings clearly conclude against the
audit objective(s) and/or questions, or explain why this was not possible.

Explanation

125) The audit findings have to be put into perspective, and congruence has to be
ensured between the audit objective(s), audit questions, audit findings and
conclusions. Conclusions are the statements deduced by the auditor from the
audit findings.

Requirement

126) The auditor shall provide constructive recommendations that are likely to
contribute significantly to addressing the weaknesses or problems identified
by the audit, whenever relevant and allowed by the SAI’s mandate.

Explanation

127) A constructive recommendation is one that is well founded, adds value, is

practical and is linked to the audit objective(s), audit findings and conclusions.
Recommendations need to avoid truisms, address the causes of problems, and
not encroach on the management´s responsibilities. It should be clear how the
recommendation would contribute to better performance. The recommendations
must follow logically or analytically from the facts and arguments presented.

128) Recommendations need to be addressed to the audited entity that has the
responsibility and competence for implementing them.

Requirement

129) The auditor shall give the audited entity the opportunity to comment on the
audit findings, conclusions and recommendations before the SAI issues its
audit report.

130) The auditor shall record the examination of the audited entity’s comments
in working papers, including the reasons for making changes to the audit
report or for rejecting comments received.

30
ISSAI 3000 - PERFORMANCE AUDIT STANDARD

Explanation

131) Comments from the audited entity on the audit findings, conclusions and
recommendations contribute to the writing of a balanced audit report and
help the auditor resolve any disagreements and correct any factual errors
before an audit report is finalized. The audit report has to reflect the views of
the auditor but also show the perspective of the audited entity.

132) The examination of feedback received needs to be recorded in working papers

so that any changes to the draft audit report, or reasons for not making
changes, are documented. Such documentation provides transparency over
why any changes to the draft audit report were or were not made, as well as
the auditor’s reasons for these decisions.

Requirement

133) The SAI shall make its audit reports widely accessible taking into
consideration regulations on confidential information.

Explanation

134) Distributing audit reports widely can promote the credibility of the audit
function. Therefore, audit reports need to be distributed to the audited entity,
to the executive and/or the legislature and to other responsible parties. The
reports also need to be made accessible to other stakeholders and the general
public directly and through the media, except for the classified information.

135) The primary audience for performance audit reports is the legislature,
executive, government agencies and the citizen. A good performance audit
enables the legislature to effectively scrutinise government and agency
performance, and influence decision-makers in government and the public
service to make changes that lead to better performance outcomes. However,

31
ISSAI 3000 - PERFORMANCE AUDIT STANDARD

there are also the general public and other stakeholders, such as the private
sector and the media who can have an interest, but possibly a different focus,
in the outcome of a performance audit.

FOLLOW-UP
Requirement

136) The auditor shall follow up, as appropriate, on previous audit findings and
recommendations and the SAI shall report to the legislature, if possible, on
the conclusions and impacts of all relevant corrective actions.

Explanation

137) Follow-up refers to the auditor’s examination of the corrective actions taken
by the audited entity, or other responsible party, based on the results of a
performance audit. It is an independent activity that increases the value of
the audit process by strengthening the impact of the audit and laying the
basis for improvements to future audit work. It also encourages the audited
entity, and other intended users of audit reports, to take the audit report
and audit findings seriously, and provides the auditor with useful lessons and
performance indicators. Follow-up is important for the internal learning and
development of the audited entity as well as of the SAI itself.

138) The SAI needs to report on the results of its follow-up actions appropriately
in order to provide feedback to the legislature, executive, stakeholders
and the public. Reliable information on the implementation status of
recommendations, the impact of audits and the relevant corrective actions
taken, can help demonstrate the value and benefit of the SAI.

Requirement

139) The auditor shall focus the follow-up on whether the audited entity has
adequately addressed the problems and remedied the underlying situation
after a reasonable period.

32
ISSAI 3000 - PERFORMANCE AUDIT STANDARD

Explanation

140) Follow-up is not restricted to implementing recommendations but focuses

on whether the audited entity has addressed the problems adequately and
remedied the underlying situation after a reasonable period.

141) The auditor needs to decide which (if not all) recommendations are to be
followed up and how follow-up will be undertaken (by means of a new audit
or a simplified procedure).

33