ISSAI 300

Performance Audit
Principles

INTOSAI Standards are issued

by the International
Organisation of Supreme Audit
Institutions, INTOSAI, as part of
the INTOSAI Framework of
Professional Pronouncements.
For more information visit
INTOSAI www.issai.org
 INTOSAI

INTOSAI, 2019
1) Endorsed as Field standards in government auditing and standards
with ethical significance in 2001
2) Content reformulated and endorsed as Fundamental Principles of
Performance Auditing in 2013
3) With the establishment of the Intosai Framework of Professional
Pronouncements (IFPP), renamed as Performance Audit Principles with
editorial changes in 2019

ISSAI 300 is available in all INTOSAI official languages: Arabic, English, French,
German and Spanish
TABLE OF CONTENTS

1. INTRODUCTION 5

2. PURPOSE AND AUTHORITY OF THE PERFORMANCE

AUDIT PRINCIPLES 6

3. FRAMEWORK FOR PERFORMANCE AUDITING 8

Definition of performance auditing 8
Economy, efficiency and effectiveness 8
Objectives of performance auditing 9
Applicability of ISSAI 300 10

4. ELEMENTS OF PERFORMANCE AUDITING 11

The three parties in performance auditing 11
Subject matter and criteria in performance auditing 12
Confidence and assurance in performance auditing 12

5.PRINCIPLES OF PERFORMANCE AUDITING 14

General principles 14
Audit objective 14
Audit approach 15
Criteria 16
Audit risk 17
Communication 18
Skills 19
Professional judgement and scepticism 20
Quality control 21
Materiality 22
Documentation 23
Principles related to the audit process 24

Planning 25
Selection of topics 25
Designing the audit 26

Conducting 28
Evidence, findings and conclusions 28

Reporting 29
Content of the report 29
Recommendations 30
Distribution of the report 30

Follow-up 31
1 INTRODUCTION

1) Professional standards and guidelines are essential for the credibility, quality
and professionalism of public-sector auditing. The International Standards of
Supreme Audit Institutions (ISSAIs) developed by the International Organisation
of Supreme Audit Institutions (INTOSAI) aim to promote independent and
effective auditing by supreme audit institutions (SAIs) and support the
members of INTOSAI in the development of their own professional approach
in accordance with their mandates and with national laws and regulations.

2) ISSAI 100 - Fundamental Principles of Public-Sector Auditing provides the

fundamental principles for public-sector auditing in general and defines the
authority of the ISSAIs. ISSAI 300 - Performance Audit Principles builds on and
further develops the fundamental principles of ISSAI 100 to suit the specific
context of performance auditing. ISSAI 300 should be read and understood
in conjunction with ISSAI 100, which also applies to performance auditing.

3) ISSAI 300 - Performance Audit Principles consists of three sections.

a) The first section establishes the framework for performance auditing

and for reference to the relevant ISSAIs.

b) The second section consists of the general principles for performance

audit engagements that the auditor should consider prior to
commencement and throughout the audit process.

c) The third section contains principles of relevance to the main stages

of the audit process itself.

Each principle is followed by a brief explanation.

5
2 PURPOSE AND AUTHORITY OF
THE PERFORMANCE AUDIT
PRINCIPLES

4) This document seeks to establish a common understanding of the nature

of performance auditing, including the principles to be applied to achieve
a high standard of audit. INTOSAI members are encouraged to develop or
adopt authoritative standards consistent with ISSAIs 100 and 300 and to
also take into account the INTOSAI standards and guidance on performance
auditing in ISSAIs 3000-3899 and GUIDs 3900-3999. The ISSAIs 3000 - 3899
provide performance audit standards for SAIs that have chosen to adopt the
ISSAIs as their authorative standards.

5) Pronouncements for performance auditing should reflect the need for

flexibility in the design of individual engagements, for auditors to be receptive
and creative in their work and for professional judgement at all stages of the
audit process.

6) INTOSAI recognises that SAIs have contrasting mandates and work under
different conditions. Due to the varied situations and structural arrangements
of SAIs, not all auditing standards or guidelines can apply to all aspects of their
work. SAIs therefore have the option of developing authoritative standards
that are either based on or consistent with the Performance Audit Principles.
If an SAI chooses to base its standards on these principles, those standards
should correspond to these principles in all applicable and relevant respects.

7) Where an SAI’s auditing standards are based on or consistent with the

Performance Audit Principles, these may be referred to by stating:

… We conducted our audit[s] in accordance with [standards], which are based

on [or consistent with] ISSAI 100 - Fundamental Principles of Public-Sector

6
ISSAI 300 - PERFORMANCE AUDIT PRINCIPLES

Auditing and ISSAI 300 Performance Audit Principles of the International

Standards of Supreme Audit Institutions.

The reference may be included in the audit report or communicated by the

SAI in a more general form covering a defined range of engagements.

8) SAIs may choose to adopt the Performance Audit Standards (ISSAI 3000 –
3899) as the authoritative standards for their work. Where an SAI has chosen
so to adopt these standards, it must comply with them in all relevant respects.
Reference in this case may be made by stating:

…We conducted our [performance] audit[s] in accordance with the

International Standards of Supreme Audit Institutions [on performance
auditing].

7
3 FRAMEWORK FOR
PERFORMANCE AUDITING

DEFINITION OF PERFORMANCE AUDITING

9) As carried out by SAIs, performance auditing is an independent, objective

and reliable examination of whether government undertakings, systems,
operations, programmes, activities or organisations are operating in
accordance with the principles of economy, efficiency and effectiveness and
whether there is room for improvement.

10) Performance auditing seeks to provide new information, analysis or insights

and, where appropriate, recommendations for improvement. Performance
audits deliver new information, knowledge or value by:
• providing new analytical insights (broader or deeper analysis or new
perspectives);
• making existing information more accessible to various stakeholders;
• providing an independent and authoritative view or conclusion based on
audit evidence;
• providing recommendations based on an analysis of audit findings.

ECONOMY, EFFICIENCY AND EFFECTIVENESS

11) The principles of economy, efficiency and effectiveness can be defined as

follows:

8
ISSAI 300 - PERFORMANCE AUDIT PRINCIPLES

• The principle of economy means minimising the costs of resources. The

resources used should be available in due time, in and of appropriate
quantity and quality and at the best price.
• The principle of efficiency means getting the most from the available
resources. It is concerned with the relationship between resources
employed and outputs delivered in terms of quantity, quality and timing.
• The principle of effectiveness concerns meeting the objectives set and
achieving the intended results.

Performance audits often include an analysis of the conditions that are

necessary to ensure that the principles of economy, efficiency and effectiveness
can be upheld. These conditions may include good management practices
and procedures to ensure the correct and timely delivery of services. Where
appropriate, the impact of the regulatory or institutional framework on the
performance of the audited entity should also be taken into account.

OBJECTIVES OF PERFORMANCE AUDITING

12) The main objective of performance auditing is constructively to promote

economical, effective and efficient governance. It also contributes to
accountability and transparency.

Performance auditing promotes accountability by assisting those with

governance and oversight responsibilities to improve performance. It does
this by examining whether decisions by the legislature or the executive are
efficiently and effectively prepared and implemented, and whether taxpayers
or citizens have received value for money. It does not question the intentions
and decisions of the legislature, but examines whether any shortcomings
in the laws and regulations or their way of implementation have prevented
the specified objectives from being achieved. Performance auditing focuses
on areas in which it can add value for citizens and which have the greatest
potential for improvement. It provides constructive incentives for the
responsible parties to take appropriate action.

Performance auditing promotes transparency by affording parliament,

9
ISSAI 300 - PERFORMANCE AUDIT PRINCIPLES

taxpayers and other sources of finance, those targeted by government policies

and the media an insight into the management and outcomes of different
government activities. It thereby contributes in a direct way to providing
useful information to the citizen, while also serving as a basis for learning and
improvements. In performance auditing, SAIs are free to decide, within their
mandate, what, when and how to audit, and should not be restrained from
publishing their findings.

APPLICABILITY OF ISSAI 300

13) The Performance Audit Principles provide the basis for the adoption or
development of standards by SAIs. They have been formulated with a view
to the institutional background of SAIs, including the prerequisites for the
proper functioning of SAIs on independence and constitutional mandates of
the INTOSAI Core Principles (INTOSAI-P 10-99) and ethical obligations and
further SAI organizational requirements (ISSAI 130-199).

14) When dealing with overlaps between audit types (or combined audits) the
following points should be considered:
• The statement of standards applied in the audit (paragraph 7 or 8 above)
may need to be adjusted in accordance with ISSAI 100, paragraph 9 or 10.
• Elements of performance auditing can be part of a more extensive audit
that also covers compliance and financial auditing aspects.
• In the event of an overlap, all relevant standards should be observed.
This may not be feasible in all cases, as different standards may contain
different priorities.

In such cases, the primary objective of the audit should guide the auditors
as to which standards to apply. In determining whether performance
considerations form the primary objective of the audit engagement, it should
be borne in mind that performance auditing focuses on activity and results
rather than reports or accounts, and that its main objective is to promote
economy, efficiency and effectiveness rather than report on compliance.

10
4 ELEMENTS OF
PERFORMANCE AUDITING

15) The elements of a public-sector audit (auditor, responsible party, intended

users, subject matter and criteria), as defined in ISSAI 100, may assume
distinct characteristics in performance auditing. Auditors should explicitly
identify the elements of each audit and understand their implications so that
they can conduct the audit accordingly.

THE THREE PARTIES IN PERFORMANCE AUDITING

16) Auditors frequently have considerable discretion in the selection of subject

matter and identification of criteria, which in turn influences who the
relevant responsible parties and intended users are. While auditors can
give recommendations, they need to take care that they do not assume the
responsibilities of the responsible parties. Auditors in performance audits
typically work in a team offering different and complementary skills.

17) The role of responsible party may be shared by a range of individuals or

entities, each with responsibility for a different aspect of the subject matter.
Some parties may be responsible for actions that have caused problems.
Others may be able to initiate changes to address the recommendations
resulting from a performance audit. Others still may be responsible for
providing the auditor with information or evidence.

18) The intended users are the persons for whom the auditor prepares the
performance audit report. The legislature, government agencies and the
public can all be intended users. A responsible party may also be an intended

11
ISSAI 300 - PERFORMANCE AUDIT PRINCIPLES

user, but it will rarely be the only one.

SUBJECT MATTER AND CRITERIA IN PERFORMANCE AUDITING

19) The subject matter of a performance audit need not be limited to specific
programmes, entities or funds but can include activities (with their
outputs, outcomes and impacts) or existing situations (including causes
and consequences). Examples might be service delivery by the responsible
parties or the effects of government policy and regulations on administration,
stakeholders, businesses, citizens and society. The subject matter is determined
by the objective and formulated in the audit questions.

20) In performance auditing, the auditor is sometimes involved in developing or

selecting the criteria that are relevant to the audit. Paragraph 27 describes
which specific requirements follow from this for the auditor.

CONFIDENCE AND ASSURANCE IN PERFORMANCE AUDITING

21) As in all audits, the users of performance audit reports will wish to be
confident about the reliability of the information which they use for taking
decisions. They will therefore expect reliable reports which set out the SAIs’
evidence-based position on the subject examined.

Consequently, performance auditors should in all cases provide findings

based on sufficient appropriate evidence and actively manage the risk of
inappropriate reports. However, performance auditors are not normally
expected to provide an overall opinion, comparable to the opinion on financial
statements, on the audited entity’s achievement of economy, efficiency and
effectiveness. This is therefore not a requirement of the ISSAI framework.

22) The level of assurance provided by a performance audit should be

communicated in a transparent way. The degree of economy, efficiency and
effectiveness achieved may be conveyed in the performance audit report in
different ways:

12
ISSAI 300 - PERFORMANCE AUDIT PRINCIPLES

• either through an overall view on aspects of economy, efficiency and

effectiveness, where the audit objective, the subject matter, the evidence
obtained and the findings reached allow for such a conclusion;
• or by providing specific information on a range of points including the
audit objective, the questions asked, the evidence obtained, the criteria
used, the findings reached and the specific conclusions.

23) Audit reports should only include findings that are supported by sufficient
appropriate evidence. The decisions made in drawing up a balanced report,
reaching conclusions and formulating recommendations frequently need to be
elaborated upon in order to provide sufficient user information. Performance
auditors should specifically describe how their findings have led to a set
of conclusions and – if applicable – a single overall conclusion. This means
explaining which criteria were developed and used and why, and stating that all
relevant viewpoints have been taken into account so that a balanced report can
be presented. The principles on reporting give further guidance for this process.

13
5 PRINCIPLES OF
PERFORMANCE AUDITING

GENERAL PRINCIPLES

24) The general principles set out below give guidance on aspects of performance
auditing that are relevant throughout the audit process.

Some areas to which these principles apply are not covered by ISSAI 100.
These are the selection of audit topics, the identification of audit objectives
and the definition of an audit approach and criteria.

In other areas, such as audit risk, communication, skills, professional

judgment, quality control, materiality and documentation, the general
principles draw on the principles of ISSAI 100 and explain how they
specifically apply in performance auditing.

Finally, some areas, such as ethics and independence, are currently

addressed by ISSAI 100, by INTOSAI Core Principles (INTOSAI-P 10-99) and by
SAI organizational requirements (ISSAIs 130-199).

» Audit objective

25) Auditors should set a clearly-defined audit objective that relates to the
principles of economy, efficiency and effectiveness.

The audit objective determines the approach and design of the engagement.
It could simply be to describe the situation. However, normative audit

14
ISSAI 300 - PERFORMANCE AUDIT PRINCIPLES

objectives (are things as they ought to be?) and analytical audit objectives
(why are things not as they ought to be?) are more likely to add value.
In all cases, the auditors need to consider what the audit pertains to,
which organisations and bodies are involved and for whom the ultimate
recommendations are likely to be relevant. Well-defined audit objectives
relate to a single entity or an identifiable group of government undertakings,
systems, operations, programmes, activities or organisations.

Many audit objectives can be framed as an overall audit question which can
be broken down into more precise sub-questions. They should be thematically
related, complementary, not overlapping and collectively exhaustive in
addressing the overall audit question. All terms employed in the question
should be clearly defined. The formulation of audit questions is an iterative
process in which the questions are repeatedly specified and refined, account
being taken of known relevant information on the subject as well as feasibility.

Instead of defining a single objective or overall audit question, auditors may

choose to develop several audit objectives, which need not always be broken
down into sub-questions.

» Audit approach

26) Auditors should choose a result-, problem- or system-oriented approach, or a

combination thereof, to facilitate the soundness of audit design.

The overall audit approach is a central element of any audit. It determines

the nature of the examination to be made. It also defines the necessary
knowledge, information and data and the audit procedures needed to obtain
and analyse them.

Performance auditing generally follows one of three approaches:

• a system-oriented approach, which examines the proper functioning of
management systems, e.g. financial management systems;
• a result-oriented approach, which assesses whether outcome or output
objectives have been achieved as intended or programmes and services

15
ISSAI 300 - PERFORMANCE AUDIT PRINCIPLES

are operating as intended;

• a problem-oriented approach, which examines, verifies and analyses the
causes of particular problems or deviations from criteria.

All three approaches can be pursued from a top-down or bottom-up

perspective. Top-down audits concentrate mainly on the requirements,
intentions, objectives and expectations of the legislature and central
government. A bottom-up perspective focuses on problems of significance to
people and the community.

» Criteria

27) Auditors should establish suitable criteria which correspond to the audit
questions and are related to the principles of economy, efficiency and
effectiveness.

Criteria are the benchmarks used to evaluate the subject matter. Performance
audit criteria are reasonable and audit-specific standards of performance
against which the economy, efficiency and effectiveness of operations can be
evaluated and assessed.

The criteria provide a basis for evaluating the evidence, developing audit
findings and reaching conclusions on the audit objectives. They also form
an important element in discussions within the audit team and with SAI
management and in communication with the audited entities.

The criteria can be qualitative or quantitative and should define what the
audited entity will be assessed against. The criteria may be general or specific,
focusing on what should be according to laws, regulations or objectives; what
is expected, according to sound principles, scientific knowledge and best
practice; or what could be (given better conditions).

Diverse sources can be used to identify criteria, including performance

measurement frameworks. It should be transparent which sources were used, and
the criteria should be relevant and understandable for users as well as complete,
reliable and objective in the context of the subject matter and audit objectives.

16
ISSAI 300 - PERFORMANCE AUDIT PRINCIPLES

The criteria should be discussed with the audited entities, but it is ultimately
the auditor’s responsibility to select suitable criteria. While defining and
communicating criteria during the planning phase may enhance their
reliability and general acceptance, in audits covering complex issues it is not
always possible to set criteria in advance; instead they will be defined during
the audit process.

Whereas in some audit types there are unequivocal legislative criteria, this is
not typically the case in performance auditing. The audit objectives, question
and approach determine the relevance and the type of suitable criteria,
and user confidence in the findings and conclusions of a performance audit
depends largely on the criteria. Thus it is crucial to select reliable and objective
criteria.

In a problem-oriented performance audit, the starting point is a known or

suspected deviation from what should or could be. The main objective is
therefore not just to verify the problem (the deviation from the criterion and
its consequences) but to identify causes. This makes it important to decide
how to examine and verify causes during the design phase. Conclusions
and recommendations are primarily based on the process of analysing and
confirming causes, even though they are always rooted in normative criteria.

» Audit risk

28) Auditors should actively manage audit risk, which is the risk of obtaining
incorrect or incomplete conclusions, providing unbalanced information or
failing to add value for users.

Many topics in performance auditing are complex and politically sensitive.

While simply avoiding such topics may reduce the risk of inaccuracy or
incompleteness, it could also limit the possibility of adding value.

The risk that an audit will fail to add value ranges from the likelihood of not
being able to provide new information or perspectives to the risk of neglecting
important factors and, as a consequence, not being able to provide users of
the audit report with knowledge or recommendations that would make a real

17
ISSAI 300 - PERFORMANCE AUDIT PRINCIPLES

contribution to better performance.

Important aspects of risk may include not possessing the competence

to conduct sufficiently broad or deep analysis, lacking access to quality
information, obtaining inaccurate information (e.g. because of fraud or
irregular practices), being unable to put all findings in perspective, and failing
to collect or address the most relevant arguments.

Auditors should therefore actively manage risk. Dealing with audit risk is
embedded in the whole process and methodology of performance audit.
Audit planning documents should state the possible or known risks of the
work envisaged and show how these risks will be handled.

» Communication

29) Auditors should maintain effective and proper communication with the audited
entities and relevant stakeholders throughout the audit process and define the
content, process and recipients of communication for each audit.

There are several reasons why planning communication with the audited
entities and stakeholders is of particular importance in performance audit.
• As performance audits are not normally conducted on a regular (e.g.
annual) basis on the same audited entities, channels of communication
may not already exist. While there may be contacts with the legislature
and government bodies, other groups (such as academic and business
communities or civil society organisations) may not have been engaged
with previously.
• Often there are no predefined criteria (such as a financial reporting
framework), and thus an intensive exchange of views with the audited
entity is necessary.
• The need for balanced reports requires an active effort to obtain insight
into the points of view of the various stakeholders.

Auditors should identify the responsible parties and other key stakeholders
and take the initiative in establishing effective two-way communication. With

18
ISSAI 300 - PERFORMANCE AUDIT PRINCIPLES

good communication, auditors can improve access to information sources

and to data and opinions from the audited entity. Using communication
channels to explain the purpose of the performance audit to stakeholders also
increases the likelihood that audit recommendations will be implemented.
Auditors should therefore seek to maintain good professional relations with all
relevant stakeholders, promote a free and frank flow of information in so far as
confidentiality requirements permit, and conduct discussions in an atmosphere
of mutual respect and understanding for the role and responsibilities of each
stakeholder. However, care should be taken to ensure that communication
with stakeholders does not compromise the independence and impartiality
of the SAI.

Auditors should notify audited entities of the key aspects of the audit, including
the audit objective, audit questions and subject matter. Notification will usually
take the form of a written engagement letter and regular communication
during the audit. Auditors should maintain communication with audited
entities throughout the audit process, by means of constructive interaction as
different findings, arguments and perspectives are assessed.

Audited entities should be given an opportunity to comment on the audit

findings, conclusions and recommendations before the SAI issues its audit
report. Any disagreements should be analysed and factual errors corrected. The
examination of feedback should be recorded in working papers so that changes
to the draft audit report, or reasons for not making changes, are documented.

At the end of the audit process, stakeholder feedback can also be obtained on
the quality of the published audit reports. The audited entities’ perception of
audit quality may also be solicited.

» Skills

30) Collectively, the audit team should have the necessary professional
competence to perform the audit. This would include sound knowledge
of auditing, research design, social science methods and investigation or
evaluation techniques, as well as personal strengths such as analytical,
writing and communication skills.

19
ISSAI 300 - PERFORMANCE AUDIT PRINCIPLES

In performance auditing, specific skills may be required, such as knowledge

of evaluation techniques and social science methods, and personal abilities
such as communication and writing skills, analytical capacity, creativity and
receptiveness. Auditors should have a sound knowledge of government
organisations, programmes and functions. This will ensure that the right areas
are selected for audit and that auditors can effectively undertake reviews of
government programmes and activities.

There may also be specific ways of acquiring the necessary skills. For each
performance audit the auditors need to have a full understanding of the
government measures which are the subject matter of the audit, as well as
the relevant background causes and the possible impacts. This knowledge
must frequently be acquired or developed specifically for the engagement.
Performance audits often involve a learning process and the development of
methodology as part of the audit itself. On-the-job learning and training should
therefore be available to auditors, who should maintain their professional skills
through ongoing professional development. An open attitude to learning and
an encouraging management culture are important conditions for enhancing
individual auditors’ professional skills.

In specialised areas, external experts can be used to complement the

knowledge of the audit team. Auditors should evaluate whether and in what
areas external expertise is required, and make the necessary arrangements.

» Professional judgement and scepticism

31) Auditors should exercise professional scepticism, but also be receptive and
willing to innovate.

It is vital that auditors exercise professional scepticism and adopt a critical

approach, maintaining an objective distance from the information provided.
Auditors are expected to make rational assessments and discount their own
personal preferences and those of others.

At the same time, they should be receptive to views and arguments. This is
necessary in order to avoid errors of judgement or cognitive bias. Respect,

20
ISSAI 300 - PERFORMANCE AUDIT PRINCIPLES

flexibility, curiosity and a willingness to innovate are equally important.

Innovation applies to the audit process itself, but also to the audited processes
or activities.

Auditors are expected to consider issues from different perspectives and

maintain an open and objective attitude to various views and arguments. If
they are not receptive, they may miss important arguments or key evidence.
As auditors work to develop new knowledge, they also need to be creative,
reflective, flexible, resourceful and practical in their efforts to collect, interpret
and analyse data.

A high standard of professional behaviour should be maintained throughout

the audit process, from topic selection and audit planning, via the audit
proper, to reporting. It is important for auditors to work systematically, with
due care and objectivity and under appropriate supervision.

» Quality control

32) Auditors should apply procedures to safeguard quality, ensuring that the
applicable requirements are met and placing emphasis on appropriate,
balanced and fair reports that add value and answer the audit questions.

ISSAI 140 Quality Control for SAIs provides general principles and application
material on the system of quality control established at the organisational
level to cover all audits. In the conduct of performance audits the following
specific issues need to be addressed:
• Performance audit is a process in which the audit team gathers a large
amount of audit-specific information and exercises a high degree of
professional judgement and discretion concerning the relevant issues.
This must be taken into account in quality control. The need to establish
a working atmosphere of mutual trust and responsibility and provide
support for audit teams should be seen as part of quality management.
This may entail applying quality control procedures that are relevant and
easy to manage and ensuring that auditors are open to feedback received
from quality control. If there is a difference of opinion between supervisors
and the audit team, appropriate steps should be taken to ensure that the

21
ISSAI 300 - PERFORMANCE AUDIT PRINCIPLES

audit team’s perspective is given sufficient consideration and that the

SAI’s policy is consistent.
• In performance auditing, even if the report is evidence-based, well-
documented and accurate, it might still be inappropriate or insufficient
if it fails to give a balanced and unbiased view, includes too few relevant
viewpoints or unsatisfactorily addresses the audit questions. These
considerations should therefore be an essential part of measures to
safeguard quality.
• As audit objectives vary widely between different audit engagements, it
is important to define clearly what constitutes a high-quality report in the
specific context of an audit engagement. General quality control measures
should therefore be complemented by audit-specific measures.

No quality control procedures at the level of the individual audit can guarantee
high-quality performance audit reports. It is equally important for auditors
to be – and remain – competent and motivated. Control mechanisms should
therefore be complemented by support, such as on-the-job training and
guidance for the audit team.

» Materiality

33) Auditors should consider materiality at all stages of the audit process. Thought
should be given not only to financial but also to social and political aspects of
the subject matter, with the aim of delivering as much added value as possible.

Materiality can be understood as the relative importance of a matter within

the context in which it is being considered. The materiality of an audit topic
should have regard to the magnitude of its impacts. It will depend on whether
the activity is comparatively minor and whether shortcomings in the area
concerned could influence other activities within the audited entity. An issue
will be considered material where the topic is considered to be of particular
importance and where improvements would have a significant impact. It will
be less material where the activity is of a routine nature and the impact of
poor performance would be restricted to a small area or otherwise minimal.

22
ISSAI 300 - PERFORMANCE AUDIT PRINCIPLES

In performance audit, materiality by monetary value may, but need not, be

a primary concern. In defining materiality, the auditor should consider also
what is socially or politically significant and bear in mind that this varies over
time and depends on the perspective of the relevant users and responsible
parties. Since the subject matter of performance audits can vary broadly and
criteria are frequently not set by legislation, that perspective may vary from
one audit to another. Assessing it requires careful judgement on the part of
the auditor

Materiality concerns all aspects of performance audits, such as the selection

of topics, definition of criteria, evaluation of evidence and documentation
and management of the risks of producing inappropriate or low-impact audit
findings or reports.

» Documentation

34) Auditors should document the audit in accordance with the particular
circumstances thereof. Information should be sufficiently complete and detailed
to enable an experienced auditor having no previous connection with the audit
to subsequently determine what work was done in order to arrive at the audit
findings, conclusions and recommendations.

As in all audits, performance auditors should keep an adequate documentary

record of the preparation, procedures and findings of each audit. However, the
purpose and context of documentation are somewhat specific in performance
auditing.
• Frequently the auditor will have acquired specialised knowledge about
the audit topic that is not easily reproduced in the SAI. Since the audit
methodology and criteria may have been developed specifically for a
single engagement, the auditor carries a special responsibility to make his
reasoning transparent.
• In performance auditing, as well as containing findings and
recommendations the report describes the framework, perspective and
analytical structure that were adopted and the process that was followed
to arrive at the conclusions. To some extent, the report performs functions

23
ISSAI 300 - PERFORMANCE AUDIT PRINCIPLES

that in other types of audits are provided by general standards or audit

documentation.
• Documentation should not only confirm the accuracy of facts, but also
ensure that the report presents a balanced, fair and complete examination
of the audited question or subject matter. Thus, for example, it might be
necessary for the documentation to include reference to arguments not
accepted in the report, or to describe how different viewpoints were dealt
with in the report.
• The purpose of the audit report in performance auditing is frequently to
persuade reasonable users by providing new insights rather than a formal
statement of assurance. Just as the audit objectives determine the nature of
the necessary evidence, they also determine the nature of documentation.
• Maintaining adequate documentation is not only part of safeguarding
quality (e.g. by helping to ensure that delegated work has been performed
satisfactorily and that the audit objectives have been achieved) but also
of the SAI’s and individual auditors’ professional development, as it can
shape good practice for similar audits in the future.

PRINCIPLES RELATED TO THE AUDIT PROCESS

35) Performance auditing comprises the following main steps:

Planning Conducting Repording Follow-up

24
ISSAI 300 - PERFORMANCE AUDIT PRINCIPLES

• Planning, i.e. selection of topics, pre-study and audit design;

• Conducting, i.e. collecting and analysing data and information;
• Reporting, i.e. presenting the outcome of the audit: answers to the audit
questions, findings, conclusions and recommendations to users;
• Follow-up, i.e. determining whether action taken in response to findings
and recommendations has resolved the underlying problems and/or
weaknesses.

These steps may be iterative. For instance, new insights from the process
stage may necessitate changes to the audit plan, and important elements
of reporting (e.g. the drawing of conclusions) may be sketched out or even
completed during the process stage.

PLANNING

» Selection of topics

36) Auditors should select audit topics through the SAI’s strategic planning
process by analysing potential topics and conducting research to identify
risks and problems.

Determining which audits will be pursued is usually part of the SAI’s strategic
planning process. If appropriate, auditors should contribute to this process in
their respective fields of expertise. They may share knowledge from previous
audits, and information from the strategic planning process may be relevant
for the auditor’s subsequent work.

In this process, auditors should consider that audit topics should be sufficiently
significant as well as auditable and in keeping with the SAI’s mandate. The
topic selection process should aim to maximise the expected impact of the
audit while taking account of audit capacities (e.g. human resources and
professional skills).

Formal techniques to prepare the strategic planning process, such as risk

25
ISSAI 300 - PERFORMANCE AUDIT PRINCIPLES

analysis or problem assessments, can help structure the process but need to
be complemented by professional judgement to avoid one-sided assessments.

» Designing the audit

37) Auditors should plan the audit in a manner that contributes to a high-quality
audit that will be carried out in an economical, efficient, effective and timely
manner and in accordance with the principles of good project management.

In planning an audit, it is important to consider:

• the background knowledge and information required for an understanding
of the audited entities, so as to allow an assessment of the problem and
risk, possible sources of evidence, auditability and the significance of the
area considered for audit;
• the audit objectives, questions, criteria, subject matter and methodology
(including techniques to be used for gathering evidence and conducting
the audit analysis);
• the necessary activities, staffing and skills requirements (including the
independence of the audit team, human resources and possible external
expertise), the estimated cost of the audit, the key project timeframes and
milestones and the main points for control.

To ensure the audit is properly planned, therefore, the auditors need to acquire
sufficient knowledge of the subject matter. Performance auditing generally
requires that audit-specific, substantive and methodological knowledge be
acquired before the audit is launched (“pre-study”).

When planning the audit, the auditor should design the audit procedures
to be used for gathering sufficient appropriate audit evidence. This can be
approached in several stages: deciding on the overall audit design (which
questions to ask, e.g. explanatory/descriptive/evaluative); determining the
level of observation (e.g. looking at a process or individual files); methodology
(e.g. full analysis or sample); specific data-collection techniques (e.g. interview
or focus group). Data- collection methods and sampling techniques should be
carefully chosen. The planning phase should also involve research work aimed

26
ISSAI 300 - PERFORMANCE AUDIT PRINCIPLES

at building knowledge, testing various audit designs and checking whether

the necessary data are available. This makes it easier to choose the most
appropriate audit method.

Senior and operational management and the audit team should be fully
cognisant of the overall audit design and what it entails. Decisions on the overall
audit design and its consequences in terms of resources will often involve
the senior management of the SAI, who can ensure that skills, resources and
capacities are in place to address the audit objectives and the audit questions.

Planning should allow for flexibility, so that the auditors can benefit from
insights obtained during the course of the audit. The audit methods chosen
should be those which best allow audit data to be gathered in an efficient
and effective manner. While the auditors should aim to adopt best practices,
practical considerations such as the availability of data may restrict the choice of
methods. It is therefore advisable to be flexible and pragmatic in this respect. For
this reason, performance audit procedures should not be overly standardised.
Excessive prescriptiveness may hamper the flexibility, professional judgement
and high levels of analytical skills that are required in a performance audit.
In certain cases – where, for example, the audit requires data to be gathered
in many different regions or areas or the audit is to be conducted by a large
number of auditors – there may be a need for a more detailed audit plan in
which audit questions and procedures are explicitly defined.

When planning an audit, auditors should assess the risk of fraud. If this is
significant within the context of the audit objectives, the auditors should
obtain an understanding of the relevant internal control systems and examine
whether there are signs of irregularities that hamper performance. They should
also determine whether the entities concerned have taken appropriate action
to address any recommendations from previous audits or other examinations
that are of relevance to the audit objectives. Lastly, the auditors should seek
contact with stakeholders, including scientists or other experts in the field,
in order to build up proper knowledge regarding, for instance, good or best
practices. The overall aim at the planning stage is to decide, by building up
knowledge and considering a variety of strategies, how best to conduct the
audit.

27
ISSAI 300 - PERFORMANCE AUDIT PRINCIPLES

CONDUCTING

» Evidence, findings and conclusions

38) Auditors should obtain sufficient appropriate audit evidence to establish

findings, reach conclusions in response to the audit objectives and questions
and issue recommendations.

All audit findings and conclusions must be supported by sufficient appropriate

evidence. This should be placed in context, and all relevant arguments, pros
and cons and different perspectives should be considered before conclusions
can be drawn. The nature of the audit evidence required to draw conclusions in
performance auditing is determined by the subject matter, the audit objective
and the audit questions.

The auditor should evaluate the evidence with a view to obtaining audit
findings. Based on the findings, the auditor should exercise professional
judgement to reach a conclusion. Findings and conclusions are the results of
analysis in response to the audit objectives. They should provide answers to
the audit questions.

Conclusions can be based on quantitative evidence obtained using scientific

methods or sampling techniques. Formulating conclusions may require a
significant measure of judgement and interpretation in order to answer the audit
questions, due to the fact that audit evidence may be persuasive (“points towards
the conclusion that ...”) rather than conclusive (“right/wrong”). The need for
precision should be weighed against what is reasonable, economical and relevant
to the purpose. The involvement of senior management is recommended.

Performance auditing involves a series of analytical processes that evolve

gradually through mutual interaction, allowing the questions and methods
employed to develop in depth and sophistication. This may involve combining
and comparing data from different sources, drawing preliminary conclusions
and compiling findings in order to build hypotheses that can be tested, if
necessary, against additional data. The whole process is closely linked to

28
ISSAI 300 - PERFORMANCE AUDIT PRINCIPLES

that of drafting the audit report, which can be seen as an essential part of
the analytical process that culminates in answers to the audit questions. It is
important for auditors to be goal-oriented and for them to work systematically
and with due care and objectivity.

REPORTING

» Content of the report

39) Auditors should strive to provide audit reports which are comprehensive,
convincing, timely, reader-friendly and balanced.

To be comprehensive, a report should include all the information needed

to address the audit objective and audit questions, while being sufficiently
detailed to provide an understanding of the subject matter and the findings
and conclusions. To be convincing, it should be logically structured and present
a clear relationship between the audit objective, criteria, findings, conclusions
and recommendations. All relevant arguments should be addressed.

In a performance audit, the auditors report their findings on the economy and
efficiency with which resources are acquired and used and the effectiveness
with which objectives are met. Reports may vary considerably in scope and
nature, for example assessing whether resources have been applied in a
sound manner, commenting on the impact of policies and programmes and
recommending changes designed to result in improvements.

The report should include information about the audit objective, audit
questions and answers to those questions, the subject matter, criteria,
methodology, sources of data, any limitations to the data used, and audit
findings. It should clearly answer the audit questions or explain why this
was not possible. Alternatively, the auditors should consider reformulating
the audit questions to fit the evidence obtained and thus arrive at a position
where the questions can be answered. The audit findings should be put into
perspective, and congruence should be ensured between the audit objective,
audit questions, findings and conclusions. The report should explain why and

29
ISSAI 300 - PERFORMANCE AUDIT PRINCIPLES

how problems noted in the findings hamper performance in order to encourage

the audited entity or report user to initiate corrective action. It should, where
appropriate, include recommendations for improvements to performance.

The report should be as clear and concise as the subject matter permits and
phrased in unambiguous language. As a whole it should be constructive,
contribute to better knowledge and highlight any necessary improvements.

» Recommendations

40) If relevant and allowed by the SAI’s mandate, auditors should seek to provide
constructive recommendations that are likely to contribute significantly to
addressing the weaknesses or problems identified by the audit.

Recommendations should be well-founded and add value. They should

address the causes of problems and/or weaknesses. However, they
should be phrased in such a way that avoids truisms or simply inverting
the audit conclusions, and they should not encroach on the management’s
responsibilities. It should be clear who and what is addressed by each
recommendation, who is responsible for taking any initiative and what the
recommendations mean – i.e. how they will contribute to better performance.
Recommendations should be practical and be addressed to the entities which
have responsibility and competence for implementing them.

Recommendations should be clear and presented in a logical and reasoned

fashion. They should be linked to the audit objectives, findings and conclusions.
Together with the full text of the report, they should convince the reader that
they are likely to significantly improve the conduct of government operations
and programmes, e.g. by lowering costs and simplifying administration,
enhancing the quality and volume of services, or improving effectiveness,
impact or the benefits to society.

» Distribution of the report

41) Auditors should seek to make their reports widely accessible, in accordance
with the mandate of the SAI.

30
ISSAI 300 - PERFORMANCE AUDIT PRINCIPLES

Auditors should bear in mind that distributing audit reports widely can
promote the credibility of the audit function. Reports should therefore be
distributed to the audited entities, the executive and/or the legislature and,
where relevant, be made accessible to the general public directly and through
the media and to other interested stakeholders.

FOLLOW-UP

42) Auditors should follow up previous audit findings and recommendations

wherever appropriate. Follow-up should be reported appropriately in
order to provide feedback to the legislature together, if possible, with the
conclusions and impacts of all relevant corrective action.

Follow-up refers to the auditors’ examination of corrective action taken by

the audited entity, or another responsible party, on the basis of the results
of a performance audit. It is an independent activity that increases the value
of the audit process by strengthening the impact of the audit and laying the
basis for improvements to future audit work. It also encourages the audited
entities and other users of reports to take the latter seriously, and provides
the auditors with useful lessons and performance indicators. Follow-up is not
restricted to the implementation of recommendations but focuses on whether
the audited entity has adequately addressed the problems and remedied the
underlying situation after a reasonable period of time.

When conducting follow-up of an audit report, the auditor should concentrate

on findings and recommendations that are still relevant at the time of the
follow-up and adopt an unbiased and independent approach.

Follow-up results may be reported individually or as a consolidated report,

which may in turn include an analysis of different audits, possibly highlighting
common trends and themes across a number of reporting areas. Follow-up
can contribute to a better understanding of the value added by performance
auditing over a given time period or subject area.

31