Drafting Audit Objectives
All performance audits need clearly stated objectives that are worded in a manner that allows auditors to conclude against them. Audit objectives should be realistic and achievable and give sufficient information to audited organizations about the focus of the audit.
Audits can have one or several objectives depending on the extent of their scope and their complexity. Office practice will also influence the number of objectives and whether or not sub-objectives are used. (Some audit offices never use sub-objectives.) Sub-objectives can be included in audit plans (for example, one for each line of enquiry), but auditors who decide to do so will still be expected to conclude on their main audit objective.
Objectives for audits of oversight are generally of three different types.
- The first type focuses on the structure and systems of oversight bodies. That is, are oversight processes well designed?
- The second type focuses on the results or effectiveness of oversight bodies in exercising their functions, roles, and responsibilities. That is, are oversight processes working as designed?
- The third type combines the structures/systems and results/effectiveness aspects.
Audit objectives can be either broad in scope, encompassing the overall oversight framework, or narrow in scope, covering only a specific oversight requirement. Selecting one type or the other may depend on audit office practices and available resources to conduct the audit. Table 7 provides examples of broad and narrow audit objectives for both structures/systems and results/effectiveness audits. These examples cover key structures/systems aspects of oversight bodies (clear roles and responsibilities, independence, skills and knowledge, and information flow), as well as a number of important roles usually played by oversight bodies (overseeing risk management, monitoring compliance and performance, taking corrective actions, and reporting).
When sufficient time and resources are available, examining both structures/systems and results/effectiveness aspects is desirable because this approach provides more complete information and additional assurance to the audit report’s recipient. By examining both aspects, auditors reduce the risk of reaching an incomplete or irrelevant conclusion. For example, concluding that systems are implemented as designed would be of limited value if the systems’ design was poor in the first place. Similarly, simply concluding that well-designed systems are in place would provide only limited value if the systems are not actually used and implemented as designed.
This being said, focusing solely on the structures/systems aspect is a valid option when it is too early to obtain result information. It is also possible for auditors who decide to focus on results and effectiveness to cover structures/systems issues in their report if these issues come up when analyzing the root cause of observed deficiencies.
Table 7 – Examples of Audit Objectives for Audits of Oversight in Agencies, Boards and Authorities
Topic |
Structures and Systems |
Results and Effectiveness |
---|---|---|
1. Overall oversight framework |
To determine whether the structures and processes established for the organization set the framework for effective oversight. |
To determine whether oversight structures and processes are implemented as intended and resulting in effective oversight. |
2. Oversight roles and responsibilities |
To determine whether the board (or governing body) has clear oversight roles and responsibilities and a clear mandate to carry out specific oversight functions. |
To determine whether the board (or governing body) is fulfilling its oversight roles and responsibilities and carrying out its oversight functions as defined in its charter (or mandate). |
To determine whether the committee structure put in place by the board (or governing body) provides for adequate oversight of key corporate functions and operations. |
To determine whether the committees of the board (or governing body) are fulfilling their respective oversight roles and responsibilities. |
|
To determine whether the board (or governing body) has established an audit committee and clearly defined its oversight roles and responsibilities. |
To determine whether the audit committee is fulfilling its assigned oversight roles and responsibilities. |
|
3. Independence |
To determine whether the board (or governing body) has established clear independence requirements for its members and put in place a policy or process to manage perceived and actual conflicts of interests. |
To determine whether the board (or governing body) and its committees are effectively managing independence risks to ensure that they perform their oversight responsibilities objectively.To determine whether the board (or governing body) and its committees actively manage conflicts of interest in accordance with policy requirements (or best practices). |
4. Skills and knowledge |
To determine whether the board (or governing body) has defined the skills, knowledge, and experience that board and committee members must possess in order to have the capacity to fulfill their oversight responsibilities. |
To determine whether the board (or governing body) and its committees collectively possess the skills, knowledge, and experience to fulfill their oversight responsibilities. |
5. Sufficient and appropriate information |
To determine whether the board (or governing body) has defined its information needs and communicated those needs to management. |
To determine whether the board (or governing body) receives the information it needs to fulfill its oversight responsibilities.To determine whether the board (or governing body) regularly assesses the quality and sufficiency of the information that management provides it with. |
6. Risk management |
To determine whether the board (or governing body) has approved a risk management policy and clearly allocated roles and responsibilities in this area. |
To determine whether the board (or governing body) is aware of the key risks facing the organization.To determine whether the board ensures that management has established adequate processes to monitor and mitigate key organizational risks. |
7. Performance monitoring |
To determine whether the board (or governing body) has put in place adequate systems and practices to monitor the organization’s performance in meeting its established objectives. |
To determine whether the board (or governing body) is conducting effective performance monitoring to ensure that the organization is meeting its established objectives. |
8. Compliance |
To determine whether the board (or governing body) has put in place adequate controls to ensure that it is aware of the organization’s state of compliance and of any need for corrective actions. |
To determine whether the board (or governing body) is regularly monitoring the organization’s compliance with laws, regulations, bylaws, and ethical requirements, and taking corrective actions as necessary. |
9. Corrective actions |
To determine whether the board (or governing body) has put in place adequate controls to ensure that corrective actions are taken in a timely manner. |
To determine whether the board (or governing body) is taking timely corrective actions when inefficiencies, poor performance, substandard results, or instances of non-compliance are identified and brought to its attention. |
10. External reporting |
To determine whether the board (or governing body) has clearly identified the accountability reports it needs to receive, review, and approve. |
To determine whether the board (or governing body) regularly reviews and approves key accountability reports. |
11. Performance evaluation |
To determine whether there is an adequate process in place to evaluate the board’s (or governing body’s) performance in fulfilling its oversight responsibilities. |
To determine whether the board (or governing body) regularly evaluates its own performance in fulfilling its oversight responsibilities. |
12. Government /Ministerial oversight |
To determine whether the government / Minister has established a clear framework for the oversight of the organization. |
To determine whether the government / Minister exercises adequate oversight of the organization. |