• Cart
Log in

Log in

home page banner blank


Practice Guide to Auditing Oversight


Drafting Audit Objectives

All performance audits need clearly stated objectives that are worded in a manner that allows auditors to conclude against them. Audit objectives should be realistic and achievable and give sufficient information to audited organizations about the focus of the audit.

Audits can have one or several objectives depending on the extent of their scope and their complexity. Office practice will also influence the number of objectives and whether or not sub-objectives are used. (Some audit offices never use sub-objectives.) Sub-objectives can be included in audit plans (for example, one for each line of enquiry), but auditors who decide to do so will still be expected to conclude on their main audit objective.

Objectives for audits of oversight are generally of three different types.

  • The first type focuses on the structures and systems of oversight bodies, functions, and processes. That is, are oversight processes well designed?
  • The second type focuses on the results and effectiveness of oversight bodies in exercising their functions, roles, and responsibilities. That is, are oversight processes working as designed?
  • The third type combines the structures/systems and results/effectiveness aspects.

Audit objectives can be either broad in scope, encompassing the overall oversight framework, or narrow in scope, covering only a specific oversight requirement. Selecting one type or the other may depend on audit office practices and available resources to conduct the audit. Table 12 provides examples of broad and narrow audit objectives for both structures/systems and results/effectiveness audits. These examples cover key oversight structures/systems (mandate, clear roles and responsibilities, independence, skills, and knowledge), as well as a number of important roles usually played by oversight bodies (overseeing risk management, monitoring compliance and performance, taking corrective actions, and reporting).

Audit teams can combine both structures/systems and results/effectiveness objectives in an audit of oversight, granted they have sufficient time and resources to do so. Examining both design and effectiveness aspects is desirable since this approach provides more complete information and additional assurance to the audit report’s recipient. By examining both aspects, auditors reduce the risk of reaching an incomplete or irrelevant conclusion. For example, concluding that systems are implemented as designed would be of limited value if the systems’ design was poor in the first place. Similarly, simply concluding that well-designed systems are in place would provide only limited value if the systems are not actually used and implemented as designed.

This being said, focusing solely on the structures/systems aspect is a valid option when it is too early to obtain result information. It is also possible for auditors who decide to focus on results and effectiveness to cover design issues in their report if these issues come up when analyzing the root cause of observed deficiencies.

Table 12 – Examples of Audit Objectives for Audits of Oversight of Major Initiatives in Departments and Ministries

Topic

Structures and Systems

Results and Effectiveness

1. Overall oversight framework

To determine whether the structures and processes established for the initiative set the framework for effective oversight.

To determine whether the oversight structures and processes put in place for the initiative are implemented as intended and resulting in effective oversight.

2. Oversight

roles and responsibilities

To determine whether the oversight body has clear roles and responsibilities and a clear mandate to carry out specific oversight functions.

To determine whether the oversight body is fulfilling its roles and responsibilities and carrying out its oversight functions as defined in its terms of reference (or mandate).

3. Independence

To determine whether the oversight body has established clear independence requirements for its members and put in place a policy or process to manage perceived and actual conflicts of interests for the selected major initiative.

To determine whether the oversight body is effectively managing independence risks to ensure that its members perform their oversight responsibilities objectively.

To determine whether the oversight body actively manages conflicts of interest in accordance with policy requirements (or best practices).

4. Skills and knowledge

To determine whether the oversight body has defined the skills, knowledge, and experience that its members must possess in order to have the capacity to fulfill their oversight responsibilities for the selected major initiative.

To determine whether the oversight body members collectively possess the skills, knowledge, and experience to fulfill their oversight responsibilities.

5. Sufficient and appropriate information

To determine whether the oversight body has defined its information needs and communicated those needs to initiative managers.

To determine whether the oversight body receives the information it needs to fulfill its oversight responsibilities.

To determine whether the oversight body regularly assesses the quality and sufficiency of the information that initiative managers provide it with.

6. Risk management

To determine whether the oversight body has approved a risk management policy or procedure and clearly allocated roles and responsibilities in this area.

To determine whether the oversight body is aware of the key risks facing the organization in relation to the selected major initiative.

To determine whether the oversight body ensures that management has established adequate processes to monitor and mitigate the major initiative’s key organizational risks.

7. Performance monitoring

To determine whether the oversight body has ensured there are adequate systems and practices to monitor the initiative’s performance in relation to its established objectives.

To determine whether the oversight body is conducting effective performance monitoring to ensure that the initiative is meeting its established objectives.

8. Compliance

To determine whether the oversight body has put in place adequate controls to ensure that it is aware of the initiative’s compliance with laws, regulations, and policies, and of any need for corrective actions.

To determine whether the oversight is regularly monitoring the initiative’s compliance with laws, regulations, policies, and ethical requirements, and taking corrective actions as necessary.

9. Corrective actions

To determine whether the oversight body has put in place adequate controls to ensure that corrective actions are taken in a timely manner.

To determine whether the oversight body is taking timely corrective actions when inefficiencies, poor performance, substandard results, or instances of non-compliance are identified and brought to its attention.

10. Reporting

To determine whether the oversight body has clearly identified the accountability reports it needs to receive (from initiative managers), review, and approve.

To determine whether the oversight body regularly reviews and approves key accountability reports prepared by initiative managers.

11. Performance evaluation

To determine whether there is an adequate process in place to evaluate the oversight body’s performance in fulfilling its oversight responsibilities.

To determine whether the oversight body’s performance in fulfilling its responsibilities is regularly evaluated.