Selecting an Audit Topic
The first step in the performance audit process is to select a topic. The specific practices and criteria used to select audit topics vary from one office to another.
In some cases, audits are mandated by legislation, like the special examinations of federal Crown corporations under the Financial Administration Act. In other cases, a special request may be made by a legislature or a minister for an auditor general to conduct a particular audit (as was the case for the 2011 New Brunswick audit of the oversight of wastewater commissions). These requests are often made after a significant negative event has occurred, with a view to identify the cause and prevent a reoccurrence.
But, in most cases, internal and legislative audit offices in Canada have the flexibility to choose (or at least propose) their own audit topics. Often, selection of audit topic is done as part of the office's strategic planning process. The selection process usually involves senior audit executives who make decisions based on information generated by a risk analysis of some sort (or other method) as well as consideration of any constraints imposed by the audit’s timing, available resources and skills, and the auditability of the topic. In some offices, a senior auditor may have the responsibility to select an audit topic (or at least propose one for approval).
This Practice Guide suggests that consideration of the importance of oversight may also influence audit topic selection. Further, activities related to acquiring knowledge of business and assessing risk are typically applied to both audit topic selection (see below) as well as in detailed planning of a performance audit (described in subsequent sections of the Practice Guide), albeit at different levels of detail.
Given that there are oversight responsibilities in every public sector organization, it is unlikely that offices /senior auditors would first decide to audit oversight and then undertake an analysis to determine in which department or agency this would be most relevant. Rather, it is far more likely that they would already have in mind a specific organization, program, or horizontal issue (one for which responsibilities are spread across several departments). In that instance, the office's or senior auditors’ main task would be to determine if the audit should cover oversight responsibilities in the chosen organization(s), program, project, or public service.
In order to make this determination, audit teams will need to:
- develop a preliminary knowledge of business,
- assess the importance of proper oversight to the attainment of stated organizational objectives, and
- assess whether there are indications that oversight has been ineffective and has put the achievement of these objectives at risk.
There are many indicators that oversight may be weak, including:
- significant cost overruns, delays, high numbers of complaints, escalating risks, and poor performance against targets;
- irregular board or committee meetings, poor (i.e. absent, incomplete, ambiguous or inaccurate)documentation to support key decisions, and lack of performance information; and
- failure to take corrective actions or to make significant progress in relation to previous audit observations and recommendations.
Auditors can look for these and other signs, document them, and then use this information as part of their analysis to determine whether oversight is an important risk factor for the success of the project, program, or organization they want to audit.
Among the questions to consider in making this determination are:
- Would weak oversight prevent the organization from achieving its objectives or adequately carrying out its mandate?
- Would weak oversight result in significant adverse consequences for the organization, its clients, or the public?
In situations where oversight is an important risk factor, auditors should consider including one of more lines of inquiry on oversight in their audit plan. Lines of enquiry can focus on either:
- the design of oversight structures and systems (oversight body structure, mandate, roles and responsibilities, independence, skills and experience requirements, and so on) or
- the results and effectiveness of these structures and systems (performance in delivering oversight mandate; compliance with laws, regulations, and bylaws; performance monitoring; reporting; and so on).