Selecting Audit Criteria
Audit criteria represent the standards expected to be met by an audited organization. Audit criteria are a key contributor to an audit’s strength and potential impact. Audit procedures focus on determining whether criteria are met or not met. Suitable criteria are clear, concise, relevant, reliable, neutral, understandable, and complete.
Finding suitable criteria is a challenge for any performance (value-for-money) audit, not just for audits of oversight. Each audit is unique due to the auditor’s mandate, audit focus, audit objectives, and the way the organization being audited approaches the audit’s subject matter.
The criteria presented as examples in this section are largely derived from the work of the CCOLA Governance Study Group and the Office of the Auditor General of Canada.
Examples of audit criteria and sub-criteria that can be used to audit the structures/systems and results/effectiveness of oversight bodies responsible for the oversight of major initiatives in departments and ministries are presented in Table 13. The criteria and sub-criteria are divided into 10 categories:
- Oversight roles and responsibilities
- Independence
- Skills and knowledge
- Sufficient and appropriate information
- Risk management
- Performance monitoring
- Compliance
- Corrective actions
- External reporting
- Performance assessment
These categories correspond with the audit objective topic numbers 2 to 11 in Table 12. Oversight topic 1 in Table 12, the overall oversight framework, is very broad and would need, in practice, to be supported by a selection of criteria taken from these 10 sub-categories.
Auditors are not expected to use all of the suggested criteria. Rather, they can pick and choose those that are most relevant to the scope of the audit and document the rationale for their selection. They can also develop additional criteria where needed, in order to conclude on their audit objective(s).
Auditors should always use their professional judgment in selecting audit criteria and determining whether the expectations defined by the criteria are reasonable given the nature and operational constraints of the audited organization. The reasonableness of potential criteria is, in part, a function of the degree to which they represent a balance between cost, risk, and effectiveness. For example, it would not be reasonable to expect an organization to adopt an unproven, costly control measure to mitigate a minor risk.
While the criteria presented in Table 13 have been designed for situations where there is a clear oversight structure in place, many can be adapted to audit situations where there is no such structure but it would be reasonable to expect one. In such situations, auditors could adopt a general objective about whether there is adequate oversight in place for a major initiative and select and adapt a number of audit criteria based on what could reasonably be expected in each specific situation, based on good management principles and best practices.
Table 13 – Examples of Audit Criteria that Can Be used to Audit the Oversight of a Major Initiative in a Department or Ministry
Topic |
Structures and Systems |
Results and Effectiveness |
---|---|---|
1. Oversight roles and responsibilities |
Criterion: The oversight body has clearly defined oversight roles and responsibilities. |
Criterion: The oversight body fulfills its assigned oversight roles and responsibilities. |
2. Independence |
Criteria: The oversight body has established clear policy and guidance about independence requirements. Specific prohibitions are listed and guidance covers the various forms of independence threats (self review, self-interest, advocacy, familiarity, and intimidation) and how they are to be addressed. Oversight body members have to sign an annual independence declaration that requires them to disclose any known independence threats and confirm their understanding of the applicable independence policy. |
Criterion: The oversight body has the independence necessary to perform its oversight responsibilities objectively. Sub-criteria: Members of the oversight body comply with applicable independence policies. Independent members of the oversight body hold regular in camera meetings without initiative management in attendance. |
3. Skills and knowledge |
Criterion: The skills, knowledge and experience required of oversight body members have been defined and communicated. |
Criterion: Collectively, oversight body members have the skills and knowledge they require to effectively discharge their oversight responsibilities. Sub-criteria:
|
4. Sufficient and appropriate information |
Criterion: The oversight body has defined the information and knowledge it needs to effectively exercise its oversight role. |
Criterion: The oversight body has sufficient relevant and reliable information about the selected major initiative to fulfill its oversight responsibilities. Sub-criteria:
|
5. Risk management |
Criterion: The oversight body ensures that appropriate risk management policies and internal controls are put in place to mitigate the initiative’s key risks in a cost-effective manner. |
Criterion: The oversight body effectively overseesthe initiative’s risk management policies and processes. Sub-criteria:
|
6. Performance monitoring |
Criterion: The oversight body ensures that performance targets and pertinent indicators are in place to enable it to properly monitor the initiative’s performance. |
Criteria: The oversight body is effectively monitoring the initiative’s performance in relation to its stated objectives and intended outcomes. The oversight body challenges management about the quality and reliability of the available performance information. |
7. Compliance |
Criterion: Systems and practices are in place to monitor the compliance of the initiative with applicable legislation, regulations and policies. |
Criterion: The oversight body obtains assurance that the initiative is in compliance with applicable legislation, regulations, and policies. |
8. Taking corrective actions |
Criterion: The oversight body has put in place adequate controls to ensure that corrective actions are taken in a timely manner. |
Criterion: Evidence exists that, based on the initiative information they receive, oversight body members make decisions, provide direction, and follow up on actions taken in response. |
9. External reporting |
Criterion: The oversight body has determined which accountability reports it needs to receive, review and approve. |
Criterion: The oversight body regularly reviews and approves key accountability reports produced by initiative managers. |
10. Performance Assessment |
Criterion: A process is in place to periodically assess the performance of the oversight body in discharging its oversight responsibilities. |
Criterion: The performance of the oversight body in discharging its oversight responsibilities is assessed periodically. Sub-criteria:
|