Engagement performance — general

Chapters 301 to 305

301. Terms of the audit engagement

Policy

301.1 An engagement letter shall be issued to the Accountable Authority of the Commonwealth entity for each new audit engagement. Where the terms are relevant for more than one annual audit, the terms shall be re-confirmed at least every five years.

301.2 The Engagement Executive shall ensure that the acknowledgement of the Accountable Authority of the engagement terms described in the engagement letter is received. Where the Accountable Authority is a group of persons, acknowledgement by the chairperson or equivalent of the Accountable Authority shall be taken as acknowledgment of the body.

301.3 Circumstances where an engagement letter shall be re-issued include, but are not limited to, a material change to the terms of the audit engagement, including:

  1. a change in audit objective or audit criteria;
  2. a change in legal or regulatory requirements including significant changes in Australian National Audit Office (ANAO) Auditing Standards, impacting on the terms of the audit engagement;
  3. a change in the performance reporting framework applied in the preparation of the performance statements; and
  4. a change in other significant performance reporting requirements.

301.4 The Engagement Executive shall assess whether there is a need to draw the attention of the entity to the existing terms of engagement. These circumstances include, but are not limited to:

  1. a change in:
    1. the Accountable Authority where the Accountable Authority is a single person; or
    2. the chairperson or equivalent of the Accountable Authority where the Accountable Authority is a group of persons; and
  1. where there is an indication that the entity misunderstands the objective and scope of the audit.

301.5 The Engagement Executive shall consider whether the circumstances identified in paragraph 301.4 warrant the re-issue of the terms of engagement.

301.6 The applicable terms contained in the Public Governance, Performance and Accountability Act 2013 (PGPA Act), Auditor-General Act 1997 (A-G Act) and any other legislation shall be included in the engagement letter, including the legislation creating the Auditor-General’s mandate to perform the audit.

301.7 Unless communicated in writing separately, the following additional matters shall be included in the engagement letter:

  1. an overview of the planned scope and timing of the audit, including the audit objective and criteria;
  2. the form, timing and expected general content of communications; and
  3. the identity of the members of the audit team and, if applicable, the Engagement Quality Review (EQR) for the audit.

301.8 In unusual circumstances where legislation other than the PGPA Act and Auditor-General Act amends the reporting or auditing requirements with respect to performance information the engagement team shall consult with PSRG to amend the engagement terms to accommodate that legislation.

301.9 When planning an audit, the audit team shall consider the level of security clearance that will be required to conduct the audit in an entity, and take appropriate action to obtain the necessary clearance (if not already in place for all audit team members).1

Guidance

301.10 The engagement letter is sent to the Accountable Authority of a Commonwealth entity (normally the Chair of the Accountable Authority where the authority has more than one member).

301.11 ASAE 3000 paragraph 27 requires the agreement of the Accountable Authority to the engagement terms. As an independent officer of the Parliament, the conduct of the ANAO’s performance statements audits is conducted under the Auditor-General’s discretion not subject to the agreement of the audited entity and as such an acknowledgement by the auditee about their responsibilities is suitable.2

301.12 Paragraphs 301.3 and 301.4 list situations where ANAO policy requires an engagement letter to be revised and re-issued or requires the attention of the entity to be drawn to the existing terms. Subject to these specific policy requirements, it is a matter for judgement by the Engagement Executive whether to formally confirm the terms of engagement or to draw attention to existing terms. The list of circumstances in paragraphs 301.3 and 301.4 is not exhaustive, and the Engagement Executive needs to be alert to other circumstances where an entity needs to be advised of revised terms of engagement or reminded of the existing terms. Examples where the Engagement Executive may need to consider re-issuing or drawing the entity’s attention to the terms of engagement include:

  1. a change of several Board members (other than the Board Chair);
  2. a change of Audit Committee Chair; and
  3. a significant change in nature or size of the entity’s business, e.g. by the addition of functions following the issue of new or revised Administrative Arrangements Orders (AAOs).

301.13 Typically, a new formal agreement with the entity is needed when the matters covered by the current engagement letter change or new conditions relevant to an engagement arise. Examples are changes in governing legislation, respective responsibilities or reporting requirements. In this situation, formal acknowledgement on behalf of the entity of the revised terms of engagement is needed from the (head of the) Accountable Authority.

301.14 Where the existing terms of engagement are unchanged but there is a need to draw the entity’s attention to the existing terms, a response from the entity is not required.

301.15 For the purposes of applying paragraph 301.6 the applicable legislation for performance statement audits is ordinarily the PGPA Act and the A-G Act. In unusual circumstances there may be other legislation that serves to amend the reporting or auditing requirements with respect to performance information. In those circumstances engagement teams are required by this policy to consult with PSRG to suitably amend the engagement terms to accommodate any such legislation.

302. Role and responsibilities of the Group Executive Director

Policy

302.1 In addition to the PSASG GED’s leadership responsibility as provided for in the Shared Content of the ANAO Audit Manual (which include the delivery of services to the required level of quality by the Performance Statements Audit Services Group and other aspects of the ANAO’s quality framework), the PSASG GED shall be responsible for supporting the ANAO Executive in the selection and commencement of audits, risk assessment of audits and monitoring and reporting of audit issues arising in the conduct of audits.

302.2 The PSASG GED shall provide recommendations to the Auditor-General on the selection and commencement of:

  1. audits requested by the Finance Minister or the responsible Minster under section 40 of the Public Governance, Performance and Accountability Act 2013 (Cth) (PGPA Act)3; or
  2. audits of performance measures under section 18A of the Auditor-General Act 1997 (Cth) (A-G Act).

302.3 Audits commenced following a recommendation of the PSASG GED under 302.2 shall be conducted under the audit objective and audit criteria approved by the Auditor-General prior to the commencement of the audit.

302.4 Any amendment to the approved audit objective or criteria shall be sought from the Auditor-General and communicated appropriately to the auditee.

302.5 The PSASG GED shall perform an annual risk assessment of performance statement audits to determine which audits should be categorised as low, moderate and high risk and ensure that appropriate risk management strategies are implemented on such audits by the Engagement Executive in accordance with Chapter 312 of this audit manual, including communicating the results of risk assessments to the Auditor-General and Deputy Auditor-General.4

302.6 The PSASG GED shall be responsible for monitoring and reporting to the ANAO Executive on issues posing challenges to the delivery of performance statement audits, including implementing business processes to support the timely and complete identification of such matters.

Guidance

302.7 The key activity of the PSASG GED is set out in the Service Group business plans.

302.8 The PSASG GED manages the audit services groups and manages audit quality at a group level over performance statements audits. The responsibilities prescribed in this manual are not intended to restrict the GED from establishing practice management or further appropriate quality assurance business processes as the GED determines is necessary in the circumstances within the scope of the A-G Act, the ANAO Auditing Standards, and any other ANAO policy or legal requirements.

302.9 For high risk audits, the GED is expected to be more involved in the monitoring of audit planning, execution and reporting, including significant matters arising during the audit. The appointment of the PSASG GED as EQR in accordance with Chapter 8 of the Shared Content and Chapter 312 of this volume may increase the GED’s involvement. However, in circumstances where a different officer is appointed as EQR Chapter 312 requires consideration of the level of involvement of the PSASG GED as part of the response to the audit risk.

302.10 This involvement would not include specific direction, supervision and review of procedures and workpapers for individual performance statements audits, unless the PSASG GED has been assigned a formal role on the audit (such as being the signing officer or an Engagement Quality Reviewer) or was conducting specific roles reserved for the responsible GED under this part of the audit manual or under the Shared Content volume (such as a consultation required by Chapter 8).

303. Role and responsibilities of the Engagement Executive

Background

303.1 This policy sets out the responsibilities of the Engagement Executive in a performance statements audit.

303.2 The Engagement Executive is the ‘lead assurance practitioner’ for the purposes of the Standards on Assurance Engagements. Audit Executives for performance statements audits will be determined in accordance with the audit delegations.

Policy

303.3 The Engagement Executive shall fulfil:

  1. the responsibilities of the ‘lead assurance practitioner’ under the ANAO Auditing Standards and assigned by legislation:
    1. in their own right, when the Engagement Executive is also the Signing Officer for the audit; and
    2. on behalf of the Signing Officer, where another person signs the auditor’s report; and
  2. other responsibilities assigned by ANAO policy.

303.4 Consistent with the responsibilities of the lead assurance practitioner, the Engagement Executive shall take responsibility for overall quality on the engagement, including:

  1. the engagement being planned, performed and documented in accordance with the ANAO auditing standards, this audit manual and any other relevant ANAO policy, legal and regulatory requirements;
  2. appropriate review of the engagement documentation before the date of the audit report; and
  3. that appropriate consultation has been undertaken on difficult and contentious matters in accordance with Chapter 8 of the ANAO Audit Manual — Shared Content volume.

303.5 Where this manual specifies a policy requirement, that policy does not require the Engagement Executive to be directly involved in the performance of that action unless the policy specifically requires the Engagement Executive to do so. However, as required by paragraph 303.4 above, the Engagement Executive retains overall responsibility that the audit has been conducted in accordance with this Manual. Further, as required by Chapter 8 of the Shared Content Volume of this manual, the Engagement Executive also retains overall responsibility for suitable direction, review and supervision being provided to the members of the audit team performing these policy requirements.

303.6 Where there is a separate Signing Officer for the audit the Engagement Executive shall provide the Signing Officer and the PSASG GED with the following documentation:

  1. at planning:
    1. a summary of the overall audit strategy developed for the audit, including the key audit risks and planned audit responses (the summary may be in the form of an audit strategy prepared for communication with the auditee);
  2. at interim:
    1. Interim Management Letter;
  3. at the end of the audit:
    1. Closing Letter (or, in unusual circumstances where a Closing Letter is not prepared at the time of the relevant briefing, a summary of the significant matters arising in the audit);
    2. Final Performance Statements;
    3. Proposed Auditor’s Report; and
  4. any other information as directed by the Signing Officer or the PSASG GED in the form and at the audit stage requested.

303.7 Where an EQR is appointed to the audit, the Engagement Executive shall discuss significant matters arising during the audit, including those identified through the EQR’s processes, with the EQR and the Signing Officer if different to the Engagement Executive.

303.8 Where an EQR has not been appointed, the Engagement Executive shall be alert for changes in circumstances that would require an EQR to be appointed, including any indication that the overall level of audit risk has increased. Any increased level of risk likely to change the overall engagement risk rating shall be communicated to the PSASG GED without delay.

303.9 The Engagement Executive shall, on or before the date of the auditor’s report, through a review of the audit documentation and discussion with the engagement team, be satisfied that sufficient appropriate audit evidence has been obtained to support the conclusions reached and for the auditor’s report to be issued.

303.10 The PSASG GED shall not exercise any authority specifically reserved by the Audit Manual to the role of PSASG GED with regards to the audits that they have been appointed as Engagement Executive. In these circumstances, the Auditor-General or the Deputy Auditor-General shall exercise those authorities or delegate the authority to other GEDs in the ANAO as appropriate.

Guidance

Responsibilities of the Engagement Executive

303.11 The responsibilities in the auditing standards which this policy places on Engagement Executives include the following:

  1. the overall quality on each audit engagement to which the Engagement Executive is assigned.
    1. Through their actions and appropriate messages to the engagement team, the Engagement Executive should emphasise the importance of compliance with ANAO Auditing Standards and quality control policies and procedures. In addition, the engagement team should have the ability to raise concerns without fear of reprisals. Quality is essential in performing audit engagements, and the overall quality of the audit will be helped by ensuring that the audit is performed consistent with ANAO standard methodology;
  2. the engagement team’s compliance with relevant ethical requirements including APES 110.
    1. These include the principles of integrity, objectivity, professional competence and due care, confidentiality and professional behaviour. The Engagement Executive should remain alert for evidence of non-compliance and if it should occur, in consultation with others, determine the appropriate action;
  3. the engagement team’s compliance with Chapter 5 of the ANAO Audit Manual — Shared Volume which prescribes ANAO’s independence policy;
  4. supporting the PSASG GED to apply appropriate procedures regarding acceptance and continuance of audit engagements when considering a request from the Finance Minister or responsible Minister under section 40 of the PGPA Act or designation of a performance audit on performance information under section 18B of the PGPA Act.
    1. These procedures should include consideration of the integrity of those charged with governance and management, competence of the engagement team and compliance with ethical requirements. All conclusions reached should be documented within the audit file;
  5. communication of the role of Engagement Executive and, where different, the Signing Officer, to key members of auditee management and those charged with governance;
  6. the appropriate planning of the engagement consistent with ASAE 3000 Assurance Engagements Other than Audits or Review of Historical Financial Information;
  7. the assignment of engagement teams and auditor’s experts which collectively have the appropriate levels of competence and capabilities.
    1. The Engagement Executive is required by the ANAO Auditing Standards to be satisfied that the competence and capabilities of the audit team will ensure performance of the audit engagement consistent with professional standards and regulatory requirements, and enable an auditor’s report that is appropriate in the circumstances.5 When considering the competence and capability of the engagement team as a whole, the Engagement Executive may take into account such matters as the team’s understanding and practical experience of audit engagements of a similar nature, their understanding of professional standard and regulatory and legal requirements, technical expertise, ability to apply professional judgement and understanding of the ANAO’s quality control policies and procedures;
  8. the direction, supervision and performance of the engagement consistent with professional and auditing standards and regulatory and legal requirements. The Engagement Executive should document the extent and timing of their reviews. Refer to the policy Direction, Supervision and Review (ANAO Audit Manual — Shared Content, paragraphs 8.2–8.4) for further guidance;
  9. ensuring that sufficient and appropriate audit evidence exists and is documented to support the conclusions reached and for the auditor’s report to be issued.
    1. In line with the ANAO policy Audit Documentation (ANAO Audit Manual — Shared Content, paragraphs 9.2–9.15) the only work that should be done after the signing of the auditor’s report is that of an administrative nature;
  10. following appropriate procedures for consultations and differences of opinion, and in particular, ensuring compliance with the ANAO policy on Differences of Opinion (ANAO Audit Manual — Shared Content, paragraphs 8.64–8.68);
  11. determining that an EQR has been appointed by the PSASG GED, as required by the ANAO Auditing Standards and ANAO policy (Refer to the Engagement Quality Review (ANAO Audit Manual — Shared Content, paragraph 8.42);
  12. discussing the susceptibility of the performance statements to material misstatement, particularly due to fraud, with the engagement team; and
  13. enough involvement in the audit engagement at appropriate stages throughout the engagement including attendance at key meetings, discussions with the engagement team, EQR and Signing Officer (where appropriate) and the completion of the planning and completion checklists at the appropriate stages of the audit.
Assistance from Audit Manager

303.12 Engagement Executives are assisted by the Audit Manager and team allocated to the engagement in fulfilling their responsibilities, including assistance with:

  1. consideration of whether the audit should be delivered through in-house or externally contracted resources;
  2. ensuring all audit related documentation is filed;
  3. planning the scope of work to produce the audit deliverables in the agreed timeframe;
  4. planning the time taken to prepare for, conduct and close the engagement;
  5. delivering in accordance with agreed timeframes;
  6. monitoring the costs associated with the audit, including recommending a variation to the budget if required;
  7. ensuring the quality of the audit deliverables;
  8. resourcing the audit to ensure that the audit team has the requisite skills to undertake the audit;
  9. the direction, review and supervision of audit team members;
  10. communication within the ANAO, among audit team members, and the entity being audited, and more broadly, other interested parties;
  11. assessing and managing the operational and engagement risks associated with the audit;
  12. the procurement of any specialist resources and any associated contract management;
  13. documenting the agreed scope, timeliness and quality assurance arrangements in respect of any services required from other areas within the ANAO to contribute to a performance statements audit; and
  14. ensuring all persons engaged in the audit complete the required independence documentation and action is taken to manage any declared conflicts as required.

303.13 Audit Managers are expected to regularly monitor progress against established audit milestones and document the actual date that audit milestones are achieved in the ANAO’s systems in a timely manner. The data held in those systems forms the basis of reports to ANAO senior executives.

303.14 When engaging with the entity being audited, especially on difficult or contentious matters, the Engagement Executive and audit team should ensure that a professional and productive approach is taken. This includes, for example, trying to understand the audited entity’s circumstances, operating environment and point of view.

303.15 The Engagement Executive should be aware of any risks to audit timeliness and budget, and escalate these as soon as practicable.

Relationship with the engagement quality review

303.16 Where an EQR has been appointed:

  1. significant issues arising on an engagement should be considered by the Engagement Executive (and the Signing Officer if applicable), in consultation with PSRG as appropriate, before consultation with the EQR to minimise compromising the EQR’s objectivity. Where there is a difference of opinion between the Engagement Executive (and the Signing Officer if applicable) and the EQR, ANAO policy on Differences of Opinion (ANAO Audit Manual — Shared Content, paragraphs 8.64–8.68) should be followed; and
  2. the auditor’s report cannot be issued until the completion of the engagement quality review (Refer to the Engagement Quality Review (ANAO Audit Manual — Shared Content, Chapter 8).

303.17 Where an EQR has not been appointed, circumstances which may cause the Engagement Executive to seek to have an EQR appointed could include the emergence of an unforeseen risk of material misstatement, identification of areas which are complex or contentious, or an increased reputational threat to the ANAO.

Date of signing of the auditor’s conclusion

303.18 The date of signing of the auditor’s report should coincide with the date the performance statements are signed wherever possible. The Engagement Executive should endeavour to agree an audit timetable with the auditee that provides for the auditor’s report to be signed on the same date the performance statements are signed. Where there is a delay of greater than 2 days between the signing of the performance statements and the auditor’s report thereon, paragraph 332.11 of this manual requires that to be brought to the attention of the PSASG GED.

303.19 Paragraph 61 of ASAE 3000 provides that a subsequent events review to the date of the auditor’s report must be undertaken and documented in the audit working papers. This includes any matters that occur between the Accountable Authority signing the performance statements and the signing of our auditor’s report.

304. Role and responsibilities of the Signing Officer

Background

304.1 The Signing Officer is the person who signs the audit report on the performance statements. In some cases, the Signing Officer may also be the Engagement Executive for the audit.

304.2 On some audits, the Auditor-General signs the audit report or delegates signing responsibilities to another executive other than the Engagement Executive for the audit. Where there is a separate Signing Officer, that officer has reduced involvement in the audit due to the Engagement Executive’s role however retains overall responsibility for the audit.

304.3 This policy requires the Signing Officer to review or approve key aspects of the audit and also provides the basis for the Signing Officer’s reliance on the Engagement Executive.

Policy

304.4 The Signing Officer is responsible for the audit and is the engagement partner for the purposes of the ANAO Auditing Standards.

304.5 While the Signing Officer relies on the Engagement Executive to fulfil key duties and requirements of the ANAO Auditing Standards, this does not reduce the Signing Officer’s overall responsibility for the audit. Where the Signing Officer is not the Engagement Executive on the audit, the following shall apply:

  1. the Signing Officer shall be briefed by the Engagement Executive at appropriate times during the audit which includes timely briefings on at least the planning, interim and final audit stages;
  2. the Signing Officer shall approve:
    1. key aspects of the audit approach, including key audit judgements;
    2. the interim management letter;
    3. the schedule of unadjusted differences;
    4. the audited performance statements6; and
    5. the auditor’s report;
  3. the Signing Officer shall be satisfied that the Engagement Executive has completed their work consistent with ANAO Auditing Standards;
  4. where an EQR is appointed, the Signing Officer shall be satisfied that the review processes have been completed satisfactorily before the audit report is issued;
  5. the Signing Officer shall review other information if the Signing Officer considers it appropriate in the circumstances of the audit; and
  6. the audit file shall contain documented evidence of the Signing Officer’s involvement.

Guidance

304.6 Significant matters arising on an engagement should be considered by the Engagement Executive, in consultation with the Signing Officer as appropriate. Significant matters may include critical areas of judgement, difficult or contentious matters, high risks of material misstatement or other areas that the Engagement Executive or Signing Officer consider important.

304.7 The requirement for the Signing Officer to approve key aspects of the audit strategy is intended to ensure that the Signing Officer provides approval of the key judgements in the audit.

304.8 The application of materiality is a significant judgment on the audit, although this does not necessarily require the signing officer to approve every materiality threshold set by the audit team in planning the nature, timing and extent of the audit of audit procedures on individual performance measures.

304.9 The Signing Officer may review matters additional to those required by this policy. For example, the Signing Officer may review the interim or final management letters or the closing report.

304.10 Where the Signing Officer is the Auditor-General, Deputy Auditor-General or Group Executive Director, the information required by those officials to fulfil the requirements of this policy will ordinarily be limited to that specified at paragraph 303.6 and through verbal briefings. Where further information is required, this will be requested by the Auditor-General or Deputy Auditor-General.

304.11 The Signing Officer’s approval of documents or key judgements and other significant matters are evidenced in the TeamMate file.

305. Role and responsibilities of the SADA Executive

Background

305.1 This policy sets out the responsibilities of the SADA Executive in a performance statements audit that engages the specialist skills of the SADA Group.

305.2 A SADA Executive is allocated to a performance statements audit or other assurance engagement consistent with ANAO Audit Manual — Shared Content volume, paragraph 6.4.

Policy

305.3 The role and responsibilities of the SADA Executive shall include:

  1. the direction, supervision and performance of the SADA component of the engagement;
  2. reviewing key documents and working papers on the audit file, including:
    1. SADA signoffs on planning and completion procedures;
    2. those relating to significant IT risks, judgements and difficult or contentious matters; and
    3. components of the proposed auditors’ report relevant to SADA work undertaken during the audit (where applicable);
  3. having sufficient involvement in the engagement at appropriate stages, including attendance at key audit meetings and discussions with the engagement team and Engagement Executive and/or Signing Officer;
  4. attendance at entry/exit meetings where appropriate, or other relevant meetings with auditee senior IT management; and
  5. attendance at Audit Committees, where appropriate.

Guidance

305.4 The responsibility for the direction, supervision and performance of the SADA component of the engagement includes:

  1. emphasising the importance of audit quality on each engagement;
  2. tracking the progress and quality of the SADA component of the engagement;
  3. considering the competence and capabilities of the SADA audit team assigned to the engagement;
  4. ensuring that appropriate SADA procedures are planned and performed;
  5. addressing significant SADA matters arising during the engagement and the impact on the planned approach;
  6. ensuring the SADA work performed supports the conclusions reached and is appropriately documented; and
  7. agreeing with the Engagement Executive any SADA services to be provided in a performance statements audit, the scope, timeliness and quality assurance arrangements for those services, as well as ensuring those services are appropriately resourced.

305.5 IT can pose specific risks to an entity’s internal control. Some examples of IT risks which may be relevant to performance statements audits are:

  1. reliance on systems or programs that are inaccurately processing data, processing inaccurate data, or both;
  2. unauthorised access to data that may result in destruction of data or improper changes to data, including the recording of unauthorised or non-existent transactions, or inaccurate recording of transactions. Particular risks may arise where multiple users access a common database;
  3. the possibility of IT personnel gaining access privileges beyond those necessary to perform their assigned duties, thereby breaking down segregation of duties;
  4. unauthorised changes to data in master files;
  5. unauthorised changes to systems or programs;
  6. failure to make necessary changes to systems or programs;
  7. inappropriate manual intervention; and
  8. potential loss of data or inability to access data as required.

305.6 Attendance at key meetings should be determined by the nature of the audit and the level of SADA involvement. If SADA involvement has been minimal and/or there are no material findings arising from SADA work performed, it may not be necessary for the SADA Executive to attend key meetings with the auditee and within ANAO. However, attendance at key meetings would be expected if there was extensive SADA involvement and/or material findings arising from SADA work performed.

Engagement performance — planning and interim

Chapters 311 to 314

311. Understanding the entity and the performance measures subject to audit

Policy

311.1 The audit team shall obtain sufficient understanding of the entity and performance measures to be audited.

311.2 Enough evidence shall be obtained so that the audit team is able to identify and assess the risks that the performance statements do not meet the audit criteria, and design and undertake evidence-gathering procedures that are responsive to the identified and assessed risks.

311.3 The audit team’s understanding of the entity shall include the entity’s system of internal control relevant to the preparation of performance statements and the appropriateness of the entity’s performance measures in accordance with the requirements of the PGPA Rule.7

311.4 The planning stage of the audit only requires an understanding of the appropriateness of the entity’s performance measures based upon the information available obtained in previous audits (where applicable) and the relevant published corporate plan, portfolio budget statements and portfolio additional estimates statements sufficient to provide a basis for the development of an efficient and effective audit strategy.

311.5 The interim and final stages shall include audit procedures that involve further enquiries of the auditee and inspection of documentation that corroborates or contradicts the assessments made at planning. The planned audit approach shall be amended where information obtained subsequent to the planning stage indicates that the planned audit approach is no longer responsive to the audit team’s understanding risks of material misstatement.

311.6 The audit team shall make enquiries of the auditee to understand:

  1. whether they have knowledge of any actual, suspected or alleged intentional misstatement of the performance statements;
  2. whether they have knowledge of any actual, suspected or alleged non-compliance with laws and regulations affecting the preparation of performance statements;
  3. whether they have an internal audit function, and its activities and findings relevant to the preparation of performance statements; and
  4. whether experts were used by the auditee in the preparation of the performance statements.

Guidance

311.7 The collection of information about the entity and performance measures to be audited is a key element of planning for an audit.

311.8 Obtaining an understanding of the entity, its purposes and the context in which the entity operates is an essential part of planning and conducting a performance statements audit. It includes gaining knowledge of the entity, its legislative and policy framework and the entity’s purposes and key activities.

311.9 Additionally, an understanding of the entity’s internal control and performance statement preparation processes is required to ensure that audit procedures are designed and executed in a manner that is responsive to the audit risk.

311.10 This understanding provides the auditor with a framework to:

  1. form a view on the overall maturity of the preparer’s performance statement preparation processes and respond with an appropriate audit strategy;
  2. design an effective and efficient audit approach using a combination of controls and substantive audit evidence;
  3. identify and assess audit risks;
  4. identify engagement risks and assess materiality;
  5. identify whether there is the need for specialist skills or the work of an expert; and
  6. estimate resource requirements.
Types of information to be collected

311.11 The types of information that it may be appropriate to collect about the performance statements auditee includes:

  1. purposes of the entity8;
  2. the programs and key activities of the entity including the intended outputs and outcomes, delivery methods and constraints;
  3. the performance measures of the entity as prescribed in the entity’s portfolio budget statements, portfolio additional estimates statements and corporate plan;
  4. external accountability relationships — who the stakeholders and clients are and what their interests are in the entity;
  5. internal accountability relationships — such as organisational arrangements, delegations and committee structures;
  6. resources — the physical, financial, human and information resources available to the entity;
  7. applicable legal and policy frameworks/requirements for the activity
  8. internal controls processes, including:
    1. governance arrangements, including audit committees;
    2. internal performance measures used by management;
    3. the processes used by management to ensure the integrity of the reported performance measures;
    4. the nature and frequency of internal reporting on performance;
    5. the systems and controls in place for controlling the entity’s resources;
    6. the systems and controls used to collect the underlying records for performance statements;
    7. risk assessments used by management; and
    8. the role of internal audit;
  9. the entity’s legislation and governance framework;
  10. the external environment — factors that influence the entity’s operations, over which the entity may have little control, such as economic, social and political influences, with a particular focus on changes to that environment; and
  11. other information on the entity.
Sources of information

311.12 In accordance with ASA 315 Identifying and Assessing the Risks of Material Misstatement and other financial statement auditing standards, a substantial amount of information about the entity’s legislative framework, systems of internal controls, compliance with laws and regulations and internal audit activity is collected and analysed by the financial statements audit team of a Commonwealth entity. This information will normally be directly relevant to financial performance measures and directly or indirectly relevant to other aspects of the entity’s performance. It is therefore important for performance statements and financial statements audit teams to work together to coordinate collection of information from auditees, share insights and implement a joined up approach to auditing.

311.13 SADA’s cumulative audit knowledge about major Commonwealth government IT systems may provide useful background information about key potential IT aspects of the performance statements audit.

311.14 Background information may also have already been collected as part of the ANAO’s annual planning process or as part of a relevant performance audit. In accordance with ASAE 3500 Performance Engagements, performance auditors gather information about the business processes, legislation and activities relevant to the performance engagement. It includes gaining knowledge of the entity that is responsible for the activity, and where relevant, the broader program of which the activity is part of. The information typically gathered is described in detail in Chapter 205 of the PASG content of this manual and is likely to be relevant to a performance statements audit where a performance measure relates to an area of performance audit activity.

311.15 In addition, the audit team should hold discussions with the entity, including internal audit, and obtain and review documentation, including:

  1. relevant policies, plans and procedures; and
  2. reports on any evaluations or reviews.

311.16 The information-gathering powers in the A-G Act can be used to obtain information and documents required for planning an audit. However, in practice, the information-gathering powers are used as ‘reserve’ powers and access to required information is almost always obtained through cooperation with entities. Detailed policy and guidance about using these powers is provided in Chapter 2 of the Shared Content volume of this manual.

312. Engagement risk rating

Background

312.1 The assessment of engagement risk helps the Auditor-General, the PSASG GED and PSASG Engagement Executives identify professional risks associated with auditees and engagements of the ANAO at a whole-of-practice and individual engagement level. The determination of engagement risk provides a basis to determine whether additional quality control responses in accordance with ASAE 3000 are required.

Policy

312.2 At the start of each audit cycle, the PSASG GED shall determine the risk ratings assigned to all PSASG engagements.

312.3 The PSASG GED’s determinations shall be communicated to the Auditor-General, the Deputy Auditor-General and all Engagement Executives responsible for PSASG engagements.

312.4 An engagement shall be assessed as being a low, moderate or high risk engagement based upon the overall risk of the engagement to the Auditor-General and the ANAO. This shall include consideration of:

  1. the risk of material misstatement (RoMM) arising from the engagement (that is, the risk that there is a material misstatement in the subject matter before the conduct of the engagement); and
  2. other professional risks, being any other source of risk to the Auditor-General and the ANAO arising from the conduct of the engagement including, but not limited to, litigious and reputational risks.

312.5 A preliminary assessment of the engagement risk for each engagement shall be documented by the Engagement Executive. The results of this preliminary assessment shall be provided to the PSASG GED for consideration.

312.6 Where a new PSASG engagement has commenced subsequent to the PSASG GED’s annual determination, the Engagement Executive shall recommend an engagement risk rating to the PSASG GED for approval.

312.7 Where the engagement risk has been assessed as high on a performance statements audit:

  1. an EQR shall be assigned;
  2. staff assigned with key roles shall have appropriate skills and experience for their assigned role; and
  3. other appropriate responses shall be determined and documented, including specific responses to the underlying events or conditions giving rise to the High engagement risk rating and level of involvement of the PSASG GED.

312.8 The engagement risk, together with the associated rationale and impact on the audit approach, shall be communicated to the auditee as part of formal communication at the planning stage.

312.9 Where the engagement risk assessment is revised to High during the audit, the Engagement Executive shall ensure that the risk responses required by this policy, including appointment of an EQR where applicable, are applied.

312.10 Engagement risk shall be monitored throughout the engagement. Where a change in the circumstances of a PSASG engagement causes the Engagement Executive to believe that the engagement risk rating requires revision, a new rating shall be recommended to the PSASG GED for approval.

Guidance

Components of engagement risk

312.11 When assessing engagement risk, one relevant risk is the risk of material misstatement, which is a risk posed by the circumstances of the engagement and reflects the risk prior to the conduct of the engagement that the performance statements contain material misstatements. The auditor’s procedures in response to the risk of material misstatement are designed to reduce audit risk to an acceptably low level in each engagement.

312.12 However, for the purposes of managing risk for the ANAO as a whole, engagement risk also encapsulates other risks to the Auditor-General and the ANAO arising from the conduct of the engagement that is separate or additional to the risk of material misstatement. These risks are referred to collectively as “Other Professional Risks”.

312.13 PSASG uses an engagement risk rating scale of low, moderate and high. The rating assigned to an auditee is based on professional judgement relating to the auditee’s particular circumstances.

312.14 Sources of engagement risk are cumulative and should be considered collectively to assess the overall risk.

Risks of material misstatements

312.15 For audits of performance statements, the risk of material misstatement includes the risks that the auditor does not directly influence: inherent risk and control risk. As applied to performance reporting, these concepts are defined as:

  1. Inherent risk: the susceptibility of the performance statements to a material misstatement before consideration of any related controls applied by the auditee’s Accountable Authority; and
  2. Control risk: the risk that a material misstatement that occurs in the performance statements will not be prevented, or detected and corrected, on a timely basis by the internal control implemented by the auditee.

312.16 Assessment of risk of material misstatement does not take into account the ANAO’s planned audit response to reduce the residual risk to an acceptable level. Overall, this means that for an audit of performance statements, the risk of material misstatement is the risk that the performance statements are materially misstated prior to audit. The risk that the auditor is able to directly influence is the risk that the procedures performed by the auditor will not detect a material misstatement and is known as detection risk.

312.17 The assessment of the risk of material misstatement is central to the risk-based audit approach, and requires the engagement team to:

  1. understand the entity and its environment, including internal control;
  2. assess the risks of material misstatement for the performance statements, whether due to fraud or error; and
  3. design and perform audit procedures to reduce audit risk to an acceptably low level.

312.18 TeamMate contains templates in the A.2: Understand Entity and its Environment which help in determining the risk of material misstatement for an auditee and may be used as the basis for recording the preliminary risk assessment required by paragraph 312.5 above.

312.19 Relevant factors for consideration when determining performance engagement risk include:

Factors that may impact the assessment of audit risk

Subject matter characteristics

The nature of key activities and transactions, for example, high volumes, large dollar values and complexities.

The nature, size and complexity of the performance measures and targets.

External environment

The economic, social, political and environmental impact of the key activity/performance measure.

The reliance of the performance measure on third party information.

Internal factors

The extent of management’s actions regarding issues raised in previous audit engagements.

The integrity of management and those charged with governance, including evidence from prior engagement with the ANAO or other bodies.

The skills and experience of the preparers of performance information and the extent to which the preparers of the performance information have the necessary administrative authority to ensure the preparation of performance statements that comply with the relevant requirements.

The complexity and quality of management information and other aspects of external reporting.

The effectiveness of internal control.

The nature and degree of change in the environment or within the entity that impact on the activity or the performance measures.

   

312.20 Potential indicators that there is a high level of audit risk may include:

  1. highly complex entities with multiple purposes, activities or programs;
  2. complex performance measures;
  3. performance measures relying on significant judgement by the measurer;
  4. deficiencies in corporate governance;
  5. substantial reliance on third parties;
  6. significant business risks which impact on the performance of the entity as a whole;
  7. poorly controlled, or changing, processes and systems;
  8. complex or bespoke IT systems;
  9. frequent changes in key personnel, systems or programs which are not well managed; and
  10. previous financial, performance or performance statement engagements that may have reported on significant findings.

312.21 The assessed risk of material misstatement is communicated to the auditee as part of formal communication at the planning stage. Subject to the agreement of the PSASG GED, low and moderate engagement risk ratings may be communicated to the auditee as ‘normal’ risk.

312.22 Reporting to the Parliament may use the low, moderate and high risk rating approach in line with the TeamMate file workpapers. The low or moderate rating can be communicated with the auditee formally or informally, as considered appropriate by the relevant Engagement Executive.

312.23 Key Individual risks of material misstatement (i.e. those assessed as significant and relevant) that are identified during audit planning should be evaluated to consider their impact on the engagement risk. The risk level of the identified risks should be determined by assessing the likelihood and potential impact of each risk.

Other professional risks

312.24 While the assessment of the risk of material misstatement is central to the ANAO’s risk-based audit approach, it does not address all of the risks that the Auditor-General must manage to effectively deliver on all of the functions provided under the A-G Act. To assist the Auditor-General to manage these risks, it is the responsibility of the PSASG GED and Engagement Executives to identify and respond to other potential risks arising out of conduct of individual engagements.

312.25 While the A-G Act provides the ANAO with expansive powers, independence and indemnities, the Office and the Auditor-General are not immune from litigation. The possibility of legal action being taken by an auditee or other interested party due to the conduct of a PSASG engagement may impinge upon the professional reputation and independence of the Office.

312.26 In some other circumstances there may be a reputational risk arising from the conduct of an audit. Reputational risks may arise because of perceptions about the appropriateness, competence or role of the Auditor-General. Examples may include:

  1. politically sensitive subject matters where the ANAO’s audit conclusion may be perceived as supportive or unsupportive of areas of government policy;
  2. stakeholder understanding or expectation is different from the audit objective and criteria, resulting in an expectation gap between the scope of the audit and the expectations of the users. For example, the ANAO may issue an unmodified auditor’s report on performance statements which indicate that an auditee met its performance targets where there is significant stakeholder dissatisfaction with the auditee’s performance;
  3. breaches (or apparent breaches) of confidentiality and privacy provisions of the A-G Act, Parliamentary conventions, other legislation and community expectations;
  4. difficult or contentious relationships with auditees, particularly those likely to lead to public disagreements;
  5. the ANAO being perceived as unpragmatic, unrealistic or otherwise inconsistent with relevant stakeholder expectations; and
  6. the ANAO not being perceived as independent because of a conflict between the ANAO’s mandate and relevant professional independence requirements.

312.27 In some cases, no amount of additional audit work will significantly reduce the risk arising from Other Professional Risks, however the employment of additional quality assurance and risk management procedures will provide the Auditor-General with additional confidence that the work performed is appropriate and will stand up to scrutiny.

Roles, Responsibilities and Appointment of EQRs

312.28 Where it is determined under this policy that an EQR is to be appointed, the roles, responsibilities and appointment of the EQR are determined by the Engagement Quality Review policy (refer to ANAO Audit Manual — Shared Content, paragraphs 8.42–8.52).

Public interest entities

312.29 Public Interest Entities (PIES) are a concept under the financial statement assurance independence requirements in APES 110 and refer to those auditees which have a fiduciary or other financial trust relationship with a large number and wide range of stakeholders.

312.30 Annually the FSASG GED determines which entities are PIEs, and for those entities, additional quality control and independence requirements apply to the financial statement audit, including the appointment of an Engagement Quality Reviewer.

312.31 The PIE concept does not apply to other audits, including performance statement audits and therefore there are no direct consequences to the performance statement audit arising where the FSASG GED determines that auditee to be a PIE. However, where a performance statement auditee is considered a PIE by FSASG, the audit team should consider whether the reasons for that auditee being designated a PIE are relevant to the assessment of the auditee’s performance statements engagement risk.

313. Materiality

Policy

313.1 Materiality shall be considered when determining the nature, timing and extent of procedures.

313.2 The determination of materiality is a matter of professional judgement and the basis for the professional judgements made shall be documented.

313.3 Materiality shall be assessed during the planning of the audit approach and reassessed if there is any indication that the basis on which the materiality was determined has changed. Audit risks shall be assessed at planning and considered and addressed throughout the audit in order to reduce it to an acceptably low level.

313.4 Major changes to the risk levels or mitigation actions and new identified risks shall be approved by the Engagement Executive.

General principles of materiality of individual performance measures

313.5 The audit shall be conducted on the basis that the following items are presumed to be material:

  1. each performance measure identified by the entity in the portfolio budget statements, portfolio additional estimates statements and corporate plan; and
  2. any additional performance measures included in the performance statements.

313.6 The presumption of materiality for performance measures at 313.5 may be rebutted in accordance with this chapter of the audit manual. Any rebuttal of the presumption of materiality must be documented in the audit file and approved by the Engagement Executive.

Application of principles of materiality — performance measures included in the performance statements

313.7 For each performance measure that is deemed to be material and included in the performance statements the engagement team shall design and perform substantive procedures for the measurement of the measure, reporting of its achievement against any targets and associated disclosures.

313.8 The nature, timing and extent of substantive procedures designed to obtain sufficient appropriate audit evidence to address 313.8 is a matter of judgement for each engagement team.

313.9 For the avoidance of doubt, for each performance measure that is deemed to be material and included in the performance statements, the presumption of materiality does not imply that any misstatement is material to the performance statements as a whole. Each actual or potential misstatement shall be assessed in accordance with Chapter 325 of this volume.

313.10 For any performance measures included in the performance statements that are determined not to be material in accordance with 313.5, the audit team shall plan and execute audit procedures. Audit procedures shall be planned to reduce the risk to an acceptably low level that there are undetected misstatements in the reporting of these performance measures are material to the performance statements as a whole.

Application of principles of materiality – auditee not reporting performance results in accordance with intended methodology

313.11 Where an auditee has reported on a performance measure but not followed the planned approach to measuring the performance result (including circumstances where the auditee discloses that it is unable to accurately report the results) the engagement team shall consider the following factors in assessing the materiality of the change in approach:

  1. the accuracy and completeness of the disclosure of the reasons for deviation from the planned approach; and
  2. where a result is reported, despite the change in planned approach - the reasonableness of the revised approach, the sufficiency and appropriateness of the evidence to support the reported result and the likelihood that the revised approach taken gives rise to a significantly different result compared to following the planned approach; or
  3. where the performance measure is included in the performance statements but no result is reported (i.e. a result of ‘unable to report’ or similar is included) - whether the omission results in the performance statements as a whole being incomplete due to insufficient measures over significant aspects of the entity’s purposes and outcomes, the level of accompanying disclosure supported by sufficient appropriate evidence providing relevant information about performance and whether the inability to report is reasonable in the circumstances.
Application of principles of materiality - omission of performance measures

313.12 In determining whether the performance measures results reported in the performance statements completely address the performance measures that were prescribed in the auditee’s Portfolio Budget Statements, Portfolio Additional Estimates Statements and Corporate plan, omissions of performance measures are presumed to be material however this presumption may be rebutted if:

  1. the performance measure that has been omitted has been assessed by the audit team not to be an actual performance measure because it does not measure the entity’s achievement of its purposes or key activities; or
  2. the performance measure that has been omitted is assessed by the audit team as being duplicative or otherwise unnecessary given the existence of other performance measures in the performance statements addressing the same aspect of performance (including those performance measures that have been added by the auditee to the performance statements in addition to those that were prescribed in the relevant planning documents).

313.13 The application of the rebuttal of the materiality omissions of performance measures in paragraph 313.12 shall include consideration whether:

  1. the performance measure is omitted for bona fide reasons9; and
  2. the performance statements disclose the reason for the omission.
Application of principles of materiality - omission of performance information not prescribed by the Portfolio Budget Statements, Portfolio Additional Estimates Statements or Corporate Plan

313.14 In determining whether the performance results reported in the performance statements completely address the performance of the entity, the audit team will assess the materiality of any omitted aspect of the entity’s purposes and key activities by reference to:

  1. the importance of any omitted activity to the core business of the entity10;
  2. the magnitude of the resources consumed by the omitted activity - in terms of both the relative value of expenditure compared to the auditee’s cumulative activities and the absolute value of the expenditure; and
  3. the impact of aggregation of activities and/or programs, including whether the auditee’s performance information has been aggregated to such an extent that it is not presenting a fair view of its performance.11

313.15 All programs identified in the auditee’s Portfolio Budget Statements or Portfolio Additional Estimates Statements for which no performance measures are included in the performance statements shall be considered when determining what is an important omitted activity.12

Materiality thresholds for individual performance measures

313.16 The audit team shall determine a planning quantitative materiality for each material performance measure that is quantitative in nature.

313.17 That planning materiality shall be set at the standard benchmark of the results of the performance measure unless a different materiality threshold is determined to be appropriate in accordance with 313.18.

313.18 Where the audit team determines that the standard benchmark is not the appropriate materiality threshold for a performance measure, a different threshold may be set with the approval of the Engagement Executive or the responsible GED as appropriate. Auditors shall document the basis for their judgement to set a threshold other than the standard threshold, considering the risk of misstatement including historical levels of misstatement, expected performance against the performance target and the entity’s operating environment.

313.19 The objective of setting of a materiality threshold for quantitative performance measures is to set a threshold that represents the audit team’s assessment of the level of misstatement for each performance measure that the auditor can tolerate to:

  1. enable the auditor to design audit procedures to detected misstatements that may be material to the individual performance measure; and
  2. to form a basis for assessing whether identified misstatements are material misstatements individually or in aggregate.

313.20 In planning the nature, timing and extent of audit procedures and assessing the materiality of any detected misstatements for quantitative measures, the audit team shall consider qualitative factors in addition to the quantitative threshold.

313.21 Misstatements which have the effect of changing whether the auditee met its prescribed performance target shall be considered qualitatively material irrespective of the quantitative materiality threshold.

313.22 For each performance measure that is qualitative or narrative in nature, a planning materiality benchmark is not required to be set at planning. However, in planning the nature, timing and extent of audit procedures and assessing the materiality of any detected misstatements, the audit team shall consider factors that the users of the performance statements may consider material.

313.23 Where a performance measure is qualitative or narrative in nature, but the key factual information supporting the qualitative or narrative information is quantitative in nature, the audit team shall have regard to the planning materiality thresholds in 313.17 and 313.18 when planning the nature, timing and extent of audit procedures.

313.24 Materiality shall be considered when evaluating the effect of any identified misstatements, taken individually and in combination in accordance with Chapter 325 of this volume.

Guidance

Materiality

313.25 Materiality considerations affect decisions concerning the nature, timing and extent of audit procedures and the evaluation of audit results. Considerations may include the value of expenditure for the activity being measured, stakeholder concerns, public interest, regulatory requirements, and consequences for society. Materiality can vary over time and can depend on the perspective of the intended users and responsible parties.

313.26 Materiality considerations should include the assessment of the appropriateness and completeness of performance information.

313.27 Materiality pertains to the information needs of intended users. Ultimately a misstatement will be determined to be material under Chapter 325 of this manual if it, individually or in aggregate, could reasonably be expected to influence relevant decisions of intended users taken on the basis of the subject matter information. Relevant decisions include the conduct of accountability and transparency through the parliamentary process.

313.28 ANAO considers the Parliament to be the primary users of our audit work. Reporting to the Parliament achieves accountability and transparency, consistent with ANAO’s purposes. Other key users that are relevant to our materiality considerations include the general public and other stakeholders who would use the Performance Statements to assess performance of the Department. For example, a peak body representing universities may rely on the Department of Education and Training’s performance statements to understand how university-related programs are working.

313.29 The ANAO’s performance statements auditor’s reports are addressed to the Finance Minister or the responsible Minister and the Executive Government is also a user of the performance statements. While the Executive Government are an important and relevant user to consider, the authority of Ministers to direct Commonwealth Entities to provide them with information means that Executive Government information needs are sometimes less relevant to the purposes of accountability and transparency.

313.30 ANAO performance statements audits presume that performance measures are material. The executive government identifying an individual program to the Parliament through the budgetary process indicates that the executive government has assessed that the program is important to the achievement of the entity’s purposes.

313.31 Relatively small programs could have qualitative aspects of their delivery which are material to the affected constituents and other stakeholders. Portfolio Budget Statement preparation rules require at least one high level performance criterion for each program and a full suite of performance measures for new programs or materially changed programs.

313.32 These presumptions serve a similar purpose in planning the audit to an overall performance materiality threshold in a financial audit. The nature of the Commonwealth’s performance reporting framework makes a definitive overall financial materiality impracticable, as the objective of performance reporting in the Commonwealth is to address the broad-based non-financial performance of an entity. Performance reporting involves a mixture of measures (outputs, efficiency and effectiveness) including qualitative and quantitative information about key activities (the activities that address the purposes of the entity) such that there is no central single driver of performance (unlike financial reporting where the overall performance and position of the entity can be meaningfully summarised in monetary terms).

313.33 The presumption that all appropriate measures are material is rebuttable in limited circumstances. Where the audit team determines that a purported performance measure does not relate directly to the auditee’s purposes or key activities, they may conclude that the auditee not reporting the outcome of this performance measure in the performance statements does not give rise to a material omission according to paragraph 313.13 of this chapter.

313.34 The fact that all appropriate measures are considered material does not imply that the same level of work should be done for each measure in this category, as the level of work will be influenced by other factors, including:

  1. the susceptibility of the performance measure to material misstatements without regard to the possible impact of any controls and our procedures (i.e. the inherent risk of misstatement for the performance measure — how likely there is a misstatement in the population that should be prevented or detected by the auditee’s internal controls and our audit). The greater the inherent risk, the more audit work will be required for the auditor to be satisfied that the residual risk of undetected misstatements has been reduced to a suitably low level (this may include controls tests and substantive tests or only substantive tests).
  2. the tolerance of users of the performance statements for a misstatement in the measure (e.g. for a measure about significant legislative breaches, the users may not tolerate any misstatement other than that which is clearly trivial, but for a measure about the estimated level of satisfaction amongst stakeholders, users are more likely to accept that a reported result is an approximation and cannot be accurate to the same level). The level of misstatement that is acceptable in each circumstance will affect the nature and extent of testing, including the number of items or transactions not being tested (in a targeted approach) or the number of sample tests (in a representative sampling approach).

313.35 Guidance in respect of accumulating audit differences and applying materiality to misstatements to form a conclusion is at Chapter 325 Forming the audit conclusion.

Materiality and performance engagement risk

313.36 Materiality and audit risk need to be considered together, as considerations of materiality will consequently impact audit risk.

313.37 Audit risk includes the risk of expressing an inappropriate conclusion based on evidence that is not soundly based. This may include evidence that is improper or incomplete as a result of inadequacies in the evidence gathering process, misrepresentation or fraud. It also includes operational risks that an audit will not be completed in accordance with the approved budget and timeframe and to the required quality.

313.38 Determining materiality and audit risk as a team, with Engagement Executive leadership, is vital to avoiding under or over-auditing. This can result where team members have different views on materiality and audit risk.

313.39 Audit risk is assessed in planning and throughout the conduct of a performance statements audit. The assessment of audit risk requires the audit team to:

  1. understand the entity, its activities and its environment;
  2. assess risks to the audit conclusion; and
  3. design and conduct audit procedures to reduce audit risk to an acceptably low level.
Application of materiality concepts to ancillary information

313.40 The performance statements, including commentary, analysis and ancillary information, should present a fair, balanced and understandable view of the entity’s performance in achieving its purposes.

313.41 The audit includes procedures to assess the statements’ veracity, particularly whether it presents a balanced perspective of the performance results overall. This includes considering the quality and reliability of the analysis, such as the reasons for not meeting targets, as well as the quality and accuracy of commentary and other information.

313.42 In making this assessment the auditor remains alert to positive/negative bias or irrelevant information in commentary and considers whether the additional information is presenting a view which is inconsistent with the performance measures and financial results. For example, auditors may consider whether the additional information obscures material information or makes the performance statements less readable. Where inconsistencies are identified the auditor should consider whether the information represents a material misstatement. In accordance with Chapter 325 of this manual, such potential or actual misstatements would be considered firstly on the impact on the performance measure itself but also against the related key activities/programs, outcomes, then the performance statements as a whole.

314. Planning audit procedures

Policy

314.1 The audit team shall document the planned audit procedures including the nature, timing, extent and rationale for the planned procedures for each performance measure.

314.2 The planned audit procedures shall be updated as necessary throughout the audit and all changes in the planned procedures shall be clearly documented and explained.

314.3 The performance statements audit planning shall include an assessment of whether the audit team has adequate skills, competence and knowledge to undertake the particular audit. This shall be revised where necessary.

Guidance

314.4 Documentation of the planned audit procedures include the nature, timing and extent of evidence-gathering procedures and the rationale for selecting the approach.

314.5 When determining the extent of time and resources required for planning, audit teams are to consider:

  1. the audit team’s experience with and understanding of the entity and the audit topic;
  2. the size of the team;
  3. the level of the audit team’s auditing experience;
  4. the scope of the audit in terms of the size, variety and technical complexity of the activities and performance measures of the audited entity; and
  5. the complexity of the proposed tests and evidence-gathering techniques.

314.6 The planned audit procedures documentation includes:

  1. the types and expected sources of audit evidence, including substantive and controls-based procedures;
  2. the techniques planned to be used to gather evidence;
  3. the planned audit procedures, including timing and extent;
  4. personnel and expertise requirements, including the nature and extent of the use of specialists or experts when applicable;
  5. the allocation of tasks to be performed by audit team members;
  6. materiality; and
  7. assessment of audit risk.

314.7 Planning is not a discrete phase but a continual process, and the test program may need to be revised to reflect any changes in the planned approach. It is recommended that updates to the planned approach and rationale are documented to explain why the change was necessary.

314.8 As part of planning and conducting a performance statements audit, the audit team is required to obtain an understanding of the entity and the programs and activities pertaining to the entity’s performance statements. This should include making an assessment of whether fraud, or related wrongdoing, may have a significant impact on the performance statements. It is not the auditors’ responsibility to prevent or detect fraud or other wrongdoing through the conduct of their audits. This is the responsibility of the entity itself. The ANAO is also not in a position to determine whether a fraud or other wrongdoing has actually occurred.

314.9 It is, however, the auditor’s responsibility to detect material misstatements in the performance statements that may occur as a result of fraud, including intentionally misstated performance information designed to obscure the misappropriation of assets or to misrepresent the entity’s performance. This risk may be elevated because excessive pressure exists for management to meet the requirements or expectations of third parties, and systems for recording performance information may be less mature than those for recording financial information.

Materiality considerations

314.10 The consideration of materiality is relevant to all aspects of performance statements audits. Therefore, the auditor needs to consider materiality when identifying which activities and performance measures are to be tested as part of the audit strategy, evaluating the evidence, identifying misstatements and developing the audit conclusion.

314.11 Quantitative factors affecting materiality relate to the magnitude of the potential or actual misstatements compared to performance measures that are expressed numerically (for example, for a performance measure based upon the production of 100,000 widgets, materiality considerations would be based around the number of widgets). The auditor needs to consider the aggregate effect of all misstatements that are more than clearly trivial both on the performance measure to which it relates and to the overall performance statements.

314.12 Qualitative factors affecting materiality may include such things as:

  1. when a target has been identified, whether the result of a potential misstatement affects the measurement of the achievement of the target (; (this may include a threshold or benchmark value not formally identified in the auditee’s corporate plan but which users of the performance statements would have regard for, such as a target specified in legislation or a government policy);
  2. the interaction between, and relative importance of, various components of the activity or performance measure when it is made up of multiple components, such as an activity with numerous performance measures;
  3. whether a potential or actual misstatement affects compliance with law or regulation;
  4. the effect of an adjustment on past or current activities or is likely to affect future activities;
  5. whether a misstatement is significant having regard to known previous communications to users;
  6. whether a particular aspect of the activity or performance measure is significant with regard to the nature, visibility and sensitivity of the audited entity;
  7. whether the health or safety of citizens is affected; and
  8. any other aspect which relates to the achievement of transparency or accountability with respect to the entity’s performance.

Engagement performance — execution

Chapters 321 to 325

321. Entity security requirements

Policy

321.1 All staff shall comply with the relevant requirements of the Australian Government’s Protective Security Policy Framework, as implemented by the entity subject to audit.

321.2 Where the audit team considers that entity security requirements are not reasonable, this shall be promptly brought to the attention of the responsible Executive Director and, as necessary, the responsible GED, and resolved through professional communication with the entity as soon as practicable.

321.3 Entity information about individuals shall only be accessed for a clearly defined audit purpose, and ANAO staff shall not attempt to access information from entity systems or records relating to themselves, relatives or acquaintances. If there is a risk of accessing such information in the course of an audit or review, staff shall bring the risk to the attention of their audit executive who shall consult with the relevant entity as necessary.

Guidance

321.4 When allocating resources to an audit, the likely level of security clearance required should be considered, and staff should be allocated accordingly where possible.

321.5 The audit team needs to give regard to the reasonable security requirements of the entity being audited.

321.6 For further information, the audit team can refer to the ANAO’s Personnel Security Policy, available on the Audit Central Protective Security page.

321.7 There are a number of factors that the audit team can consider when assessing the reasonableness of the entity security requirements. These include whether the requirements:

  • impinge on access to documents and systems necessary to the completion of the audit;
  • introduce barriers to the efficient conduct of the audit that are contrary to the exercise of access powers under the A-G Act; and
  • do not provide for the same level of clearance for the audit team as the level of clearance for relevant entity personnel.

321.8 Entity ICT security protocols may be triggered in the event of inappropriate access. Inappropriate access may result in reputational damage to the ANAO as a trusted user of entity information and action against the individuals involved.

322. Gathering and verifying audit evidence

Policy

322.1 The audit team shall gather evidence that is sufficient and appropriate to address the audit objectives and support a reasonable assurance conclusion.

322.2 The audit team shall exercise professional judgement to obtain the sufficient quantity and appropriate quality of audit evidence.

322.3 This evidence shall be documented and stored appropriately to provide the basis for concluding that the audit was conducted in accordance with the ANAO Auditing Standards and other legal requirements.13

322.4 All evidence gathered shall be stored appropriately in accordance with the ANAO’s Protective Security Governance Policy and ANAO Recordkeeping Framework.

322.5 ANAO staff granted privileged (researcher) access to entity document management systems must ensure that all information searches relate directly to an active audit or review and are conducted for the purpose of gathering evidence. When a performance statement audit collects the emails of audited entities or the personal data of auditee clients on a bulk basis, the audit team shall ensure that auditee information is held, accessed, analysed and reported by the ANAO in a manner that meets the audit objective with the minimum reasonable risk posed to the confidentiality and privacy of individual audit staff, contractors, auditee clients and other stakeholders.

322.6 If an entity is not providing evidence in a cooperative manner, the audit team shall consult with the Engagement Executive and PSASG GED in the first instance to escalate the request. The ability to use section 32 powers to obtain information is not delegated and can therefore only be exercised by the Auditor-General. Any request for the Auditor-General to use section 32 powers shall be made through the PSASG GED.

322.7 Any request to engage with a Minister or ex-Minister or their staff or former officials of an audited entity to obtain audit evidence shall be approved by the Auditor-General.

322.8 Audit teams shall adopt an attitude of professional scepticism in making independent judgements about audit evidence during an audit.

322.9 When using information produced by the entity to perform audit procedures and gather audit evidence, the audit team shall evaluate whether the information is sufficiently relevant and reliable for the purpose of the audit, including obtaining audit evidence about the accuracy and completeness of the information.

322.10 The audit team shall conclude whether sufficient appropriate audit evidence has been obtained. In forming an opinion, the auditor shall consider all relevant audit evidence, regardless of whether it appears to corroborate or to contradict the assertions in the performance statements report.

322.11 If the audit team has not obtained sufficient appropriate audit evidence, they shall attempt to obtain further audit evidence and include appropriate documentation in the audit file. If the audit team is unable to obtain sufficient appropriate audit evidence, the auditor shall consider the impact on the audit opinion.

Guidance

Gathering audit evidence

322.12 In order to not be materially misstated, the performance statements must be based upon appropriate performance measures, and the measurement of the entity’s performance against those measures must be completely and accurately reported.

322.13 Audit evidence is information obtained and used to support the audit conclusion. The collection, analysis and use of evidence are essential elements of the effective conduct of a performance statements audit.

322.14 Decisions concerning the evidence-gathering process begin at the planning phase of an audit. The exercise of professional judgement concerning sufficient and appropriate audit evidence then continues throughout the audit. The audit team must assess whether the evidence obtained has the sufficient quantity and the appropriate quality. This assessment will inform the decision to obtain additional or different evidence.

322.15 Auditors need to have discussions with the auditees about the available evidence at the planning, interim and execution phases. They should ascertain the nature of the evidence and how it will need to be collected, analysed and interpreted by the audit team.

322.16 It is important that the audit team obtains evidence from a variety of sources, as different perspectives and conclusions may be presented from multiple sources. It is necessary to continually identify potential sources of evidence during the conduct of the audit. This is because not all circumstances can be foreseen during planning.

322.17 The four main types of audit evidence and their sources are set out in the table below.

Types of evidence

Sources of evidence

Physical

Physical evidence is obtained by observing people and events or examining property. It can take the form of photographs, charts or maps and detailed written descriptions of observations made.

Oral

Oral or testimonial evidence is obtained in the form of statements in response to inquiries or interviews. Oral evidence can be obtained from entity staff and clients, other stakeholders or experts. Interviews conducted to obtain oral evidence can be structured or unstructured and may involve the use of formal questionnaires and sampling techniques.

Documentary

Documentary evidence in physical or electronic form is the most common form of evidence. It may be obtained from within or outside the entity and includes such things as: policy statements and legislation, reports, reviews and evaluations, letters and minutes, emails and phone records, procedures and guidelines, risk assessment plans, planning and budget documents, contracts and leases, performance results, client feedback, computer system records, personnel documents and organisation charts.

Analysis of information and data

Analyses of data and other information can be obtained from the entity (and may need verification) or can be generated by the audit team. It includes the analysis of ratios and trends, comparisons of procedures and operations with standards or specified requirements, and analysis of substantive testing of transactions.

   

322.18 Appropriateness of audit evidence is attributed to both the relevance and reliability of the evidence. While the assessment of sufficiency and appropriateness is a professional judgement of the auditor in each case, auditors may find it helpful to consider the following generalised statements concerning evidence appropriateness:

  • documentary evidence is more reliable than verbal evidence, but the reliability varies depending on the source and purpose of the document;
  • testimonial evidence that is corroborated in writing is more reliable than verbal evidence alone;
  • evidence based on many meetings together is more reliable than evidence based on a single or a few meetings;
  • testimonial evidence obtained under conditions in which people may speak freely is more reliable than evidence obtained under circumstances in which people may feel intimidated;
  • evidence obtained from a knowledgeable, credible and unbiased third party is more reliable than evidence obtained from the management of the audited entity or others who have a direct interest in the audited entity;
  • evidence obtained when internal control is effective is more reliable than evidence obtained when internal control is weak or non-existent;
  • evidence obtained through the auditor’s direct observation, computation and inspection is more reliable than evidence obtained indirectly; and
  • original documents are more reliable than copied documents.14

322.19 When gathering evidence, it is important to remember that while individual pieces of data or information, such as date of birth, may not be sensitive or classified, combined with a person’s address and bank account details, the information in aggregate is likely to be more sensitive and will require appropriate handling and storage for privacy and/or security reasons.

322.20 Decisions concerning the retention in audit working papers of data and the results of analysis must balance the need to retain sufficient evidence to support the audit findings and conclusions with the need to reduce the risk of unnecessarily retaining sensitive or classified information. It may be possible, for example, to delete reference to one or more sensitive fields, such as tax file number, without affecting the sufficiency of the audit evidence in the working papers.

322.21 Audited entities will often facilitate the ANAO’s work by giving ANAO staff privileged (researcher) level access to their document management systems. It would be inappropriate to conduct an information search with the purpose of: monitoring an entity’s preparation of a response to an Interim Management Letter or a proposed auditor’s report; or gathering additional information after an audit has concluded.

Gathering evidence on attributes of good performance information

322.22 In the first stage of a performance statements audit, the engagement team focuses on assessing whether the performance measures are in accordance with the PGPA Rule, which includes that the performance measures:

  • relate directly to one or more of the entity’s purposes or key activities;
  • use sources of information and methodologies that are reliable and verifiable;
  • provide an unbiased basis for the measurement and assessment of the entity’s performance;
  • where reasonably practicable, comprise a mix of qualitative and quantitative measures;
  • include measures of the entity’s outputs, efficiency and effectiveness if those things are appropriate measures of the entity’s performance;
  • provide a basis for an assessment of the entity’s performance over time; and
  • have specified targets where it is reasonably practicable to set a target.

322.23 Where performance measures are judged to be appropriate, this means the auditor has concluded that they are capable of being included by the auditee in the preparation of complete and accurate performance statements, and the auditor can therefore infer that they implicitly address the attributes that are features of effective performance information. From the assessment of the appropriateness of an entity’s performance measures, the seven attributes of appropriate performance measures are considered and therefore also form the basis of the audit’s risk assessment for the completeness and accuracy of the performance statements.

322.24 Attributes or financial statements audit assertions may be a useful way for the auditor to consider the different types of potential misstatements that may occur for appropriate performance measure, and to design assurance procedures accordingly. While the attributes of appropriate performance measures (reliability, free from bias, etc) are useful general categories for thinking about the risk of material misstatement, auditors will be able to design more efficient and effective audit procedures where the risks of material misstatement are understood and identified at a more specific level.

Verifying audit evidence

322.25 Verifying audit evidence is the first step in analysing audit evidence to ensure that audit findings, conclusions and recommendations are based on sound evidence.

322.26 The risk, significance and sensitivity of the matter to be reported will determine not only the nature and amount of evidence to be collected, but also the extent of verification.

322.27 Assessing information obtained from entity records is particularly important in circumstances where management information, such as program expenditures, is to be relied on. In these cases, it is essential that the completeness and accuracy of this information is assessed through appropriate audit testing to give the ANAO confidence that the systems and processes used to produce the information can be relied on. This will involve reviewing key system controls, testing a sample of transactions or a combination of those approaches.

322.28 Audit testing is required to be undertaken in these circumstances irrespective of when such information is obtained.

322.29 The ANAO’s policy in relation to sufficient appropriate audit evidence also applies to any work performed by an expert. When using the work of an expert to support audit findings and conclusions, it must be adequate for that purpose, recognising that the responsibility for the findings generated or conclusions drawn from the work undertaken by an expert rests solely with the ANAO.

322.30 Professional scepticism (ASAE 3000 paragraph A76) means an attitude that includes being alert to, for example:

  1. evidence that is inconsistent with other evidence obtained;
  2. information that calls into question the reliability of documents and responses to enquiries to be used as evidence;
  3. circumstances that suggest the need for procedures in addition to those required by relevant ASAEs; and
  4. conditions that may indicate likely misstatement.

322.31 The type of audit evidence gathered will determine the available verification approaches available:

Type of evidence

Verification technique

Physical

The observation is recorded using, for example, image capture technologies.

Oral/testimonial

The interviewee confirms in writing the facts of the discussion.

A number of independent sources confirm the evidence, for example, interviews with staff, documentation and expert advice.

Where the oral evidence has been collected by the auditee, a properly designed an executed survey provides more reliable results.

The facts of a discussion are confirmed from other sources. The oral evidence is recorded.

Documentary

Documentary evidence is obtained from more than one source.

Documentary evidence is the final version and has the appropriate approvals and sign-offs.

The matters set out in the document, for example are tested for accuracy.

Internal system controls are tested and/or electronic records are validated.

Adherence to procedures or plans is tested to determine that they are followed in practice.

Internally generated reports

Ensure that the report is a standard system report, unable to be changed by the auditee.

Technical re-performance using IT specialists.

Samples of data are tested for accuracy, completeness and validity.

Further guidance on these approaches is provided below.

   

322.32 There are a number of different approaches to test completeness and accuracy of internally generated reports, and each approach provides a varying level of comfort. Professional judgement is required to determine the most appropriate method in the circumstances based on an understanding of how the report is generated and the desired level of comfort.

Standard system reports

322.33 Where the auditee is utilising standard system reports the level of risk that the information reported in an internally generated report is inconsistent with the underlying information captured within the system is relatively low. When the controls for producing the reports have been tested, then there is a reasonable expectation that any errors would have been identified by the system. This does not necessarily mean that the underlying information captured by the system accurately records the events or transactions, unless there are controls in place that the auditor can rely upon that prevents or detects the capture of erroneous data.

322.34 Typical considerations to document include:

  1. auditee does not have a development environment, or access to such an environment is limited to external vendor accounts;
  2. review of change management logs shows no changes except expected vendor management transactions;
  3. collaborative enquiry with different sources within the organisation confirms that the auditee does not undertake development/have access to the application source code;
  4. ANAO understanding of the application based on knowledge and experience is that the application is ‘off-the-shelf’ and vendor supported; and
  5. ANAO review of the standard user guides identifies the specific reports/controls to be part of the packaged application.

322.35 These are considerations only. It is important that the ANAO is comfortable that the standard reports are unable to be changed by the auditee and only by the vendor.

Technical re-performance

322.36 Technical re-performance involves reviewing the code (e.g. an SQL query) which is used by the system to produce the report. This can only be performed when the auditee is able to access the code, and when the audit team have appropriately skilled team members who can understand the code.

Using the work of other ANAO audit teams

322.37 Performance statement auditors should determine whether the work of the other ANAO audit teams can be used for the purpose of the performance statements audit by evaluating the following:

  1. the timing of such work;
  2. the nature of the work performance;
  3. the extent of the audit coverage;
  4. materiality levels set for both audits;
  5. proposed methods of item selection and sample size;
  6. the documentation of the work performance; and
  7. review and reporting procedures.

322.38 As a basis for determining the areas and the extent of work which other ANAO audit teams have completed, the performance statements auditor should consider the nature and scope of the work that has been performed and its relevance to the performance statements auditor’s overall audit strategy and audit plan.

322.39 Examples of work of other ANAO audit teams that can be used by the performance statements auditors include the following:

  1. testing of the operating effectiveness of controls by financial statement auditors or others;
  2. tracing transactions through the information system relevant to reporting by SADA specialists; and
  3. testing of compliance with regulatory requirements by a performance audit team.

322.40 Coordination between audit teams is effective when, for example:

  1. discussions take place at appropriate intervals throughout the period;
  2. the performance statements audit team informs the other ANAO audit teams of significant matters that may affect the other part of the ANAO;
  3. the performance statements audit team is advised of and has timely access to relevant reports and is informed of any significant matters that come to the attention of other parts of the ANAO;
  4. all auditors involved use TeamMate files to document their audit work to facilitate the review of the work by the main audit team.

323. Sampling and selecting items for testing

Background

323.1 The approaches available to the auditor for selecting items for testing are:

  1. selecting all items;
  2. selecting specific items (commonly known as targeted testing); and
  3. representative sampling (both statistical and non-statistical).

323.2 The means by which items are selected for testing should be determined by the most efficient and effective means to obtain the necessary assurance given the characteristics of the performance measure.

323.3 There is no representative sampling approach specifically developed and implemented for performance statement auditing and performance statement auditors may choose the approach from either the financial statements or performance audit methodologies that is most suitable for the audit need.

323.4 The ANAO’s financial statements auditing representative sampling methodology (including controls, non-statistical and accept-reject testing) will generally be most appropriate to apply in circumstances where the audited information is financial in nature or where the control environment is effective. The financial statements audit methodology is a non-statistical methodology designed to be highly efficient in circumstances where the error rate is low.

323.5 The ANAO uses both statistical and non-statistical sampling methods. The ANAO non-statistical sampling approach is based on statistical sampling principles. Typically, non-statistical sampling will be more efficient than statistical sampling. The performance audit representative sampling methodology is a statistical approach and may be more suitable where the error rate is higher, for example because of a lack of controls over the recording of information.

323.6 In some situations, representative sampling may not be appropriate. For example, the auditor may use targeted testing or 100% selection of a population where individual items in a population are significant to the performance measure overall. In other situations, sampling may be less efficient than other acceptable alternatives because of the time it takes to examine a larger number of transactions.

323.7 When a decision is made to use a representative sampling approach, the objective ‘is to provide a reasonable basis for the auditor to draw conclusions about the population from which the sample is selected.15 When a decision is made to use a targeted testing approach, the objective is to provide a reasonable basis for the auditor to draw a conclusion on the targeted items only and no conclusion is drawn on the untested items or extrapolated to the population as a whole.

Policy

Sampling for tests of controls

323.8 The non-statistical sampling method shall be used when undertaking tests of controls, including the audit methodology control testing sampling template.16

323.9 When testing controls on a rotational basis, sample size and selection shall be consistent with the relevant requirements of Chapter 114 -Selecting Items for Testing in the FSASG volume of this manual.

323.10 Exceptions identified when performing tests of controls shall be evaluated to determine whether the exceptions are isolated instances which can be remediated by the auditee.

Sampling for tests of details (substantive testing)

323.11 One or a combination of the following testing approaches shall be used when conducting tests of details of performance statements:

  • non-statistical sampling;
  • accept-reject testing;
  • statistical sampling;
  • targeted testing; and/or
  • census testing (testing the entire population).

323.12 Substantive tests shall be conducted using the relevant substantive sampling template.17

323.13 Non-statistical sampling shall only be used to test performance measures that are financial in nature where the tested population is expressed and the materiality of identified misstatements can be assessed in monetary terms.

323.14 Accept-reject testing and statistical sampling shall only be used to test attributes of performance measures that are non-financial and are capable of a binary (yes or no) assessment.

323.15 When using the statistical sampling approach, the following exceptions to the performance audit sampling methodology may be made with documented Engagement Executive approval18:

  • Using a confidence level of less than 80 per cent where audit evidence from other sources (controls testing, other substantive testing or a combination of both) reduces the amount of evidence required from the sampled testing; or
  • Applying statistical sampling for a population less than 250 where it is impracticable to obtain the relevant audit evidence by alternate means.
Approaches for selecting items for representative samples

323.16 The prescribed methods of selecting representative samples from a population are random selection, systematic selection and haphazard selection.

323.17 Haphazard selection of items for testing shall only be used in rare and unusual circumstances where there is a substantial reason that random or systematic sample selection is not practicable. Each use of haphazard selection shall have a documented basis for why this approach was determined to be an efficient and effective method and shall be approved by the Engagement Executive.

Guidance

323.18 The ANAO’s methodology for financial statement audit non-statistical sampling and accept-reject testing is described in Chapter 114 of the FSASG Specific volume of this Audit Manual, the Online Audit Guide in TeamMate and is supported by templates located on TeamMate — TeamStore.

323.19 The relevant references in the Online Audit Guide are:

  1. Test of Controls (Non-statistical Sampling) — section 5403;
  2. Test of Details (Non-statistical Sampling) — section 6201.4.1.6;
  3. Test of Details (Accept-Reject Testing) — section 6201.3.1; and
  4. Test of Details (Targeted Testing) — section 6201.2.
Statistical and non-statistical sampling

323.20 Although auditing standards recognise both non-statistical and statistical sampling, the preferred approach for performance statements is the use of non-statistical audit sampling. The primary advantages of statistical audit sampling are a statistically derived sample size and a statistically determined evaluation of sampling risk.

323.21 However, the advantages of statistical sampling do not outweigh the primary disadvantages, which include the use of formal techniques to:

  1. determine the sample size;
  2. determine the sample; and
  3. evaluate the results.

323.22 Ordinarily, the application of non-statistical sampling will result in a sample size comparable to the sample size resulting from an efficient and effectively designed statistical sample, considering the same sampling parameters. Therefore, a properly executed application of non-statistical audit sampling through the use of the test of details sampling template will generally be the preferable approach.

323.23 In some circumstances, the use of a statistical approach may be appropriate where the parameters of the population are outside the range supported by the test of details sampling template, for example an error rate greater than 5%.

323.24 Samples chosen using the supplemental level of assurance and low level of assurance strategies will not provide sufficient substantive evidence on their own but may be suitable in certain parts of a broader audit strategy in certain circumstances. The supplemental level of assurance and low level of assurance strategies accept a higher level of sampling risk on the basis that audit evidence obtained from other audit procedures is contributing to the overall sufficiency of audit evidence. Further guidance on the levels of assurance to be obtained from different sampling approaches is provided at 6201.4.1.6 in the Online Audit Guide.

Stratification

323.25 In some circumstances, it may be convenient to divide a population into monetary or risk-based strata. The population is divided into sub-populations or strata and each stratum is treated separately. The calculation of sample size and selection of the items for testing for each stratum is done separately.

Sample selection techniques

323.26 Random sampling - all items in the population have the same probability of being selected. The auditor selects a random sample by matching random numbers generated by a computer or selected from a random-number table with sequentially numbered items in the population.

323.27 Systematic sampling - the auditor determines a uniform interval by dividing the number of physical units in the population by the sample size. A starting point is randomly selected in the first interval and one item is selected throughout the population at each of the uniform intervals from the starting point.

Judgemental selection

323.28 Haphazard sampling - a sample method that attempts to approximate a random selection by selecting sampling units without any conscious bias. This method of sample selection is not permitted in the ANAO unless the auditor gets the prior approval of the Engagement Executive. A situation where haphazard selection might be approved is in the audit procedure where the purpose of the audit test is to demonstrate that assets on hand or transactions that have occurred (such as a set of emails in an inbox) have been completely recorded in the auditee’s system. The unstructured nature of these sampling units may prevent the auditor from practically using an application to randomly or systematically select items. The rationale and approval are required to be documented in the working papers.

323.29 Other forms of judgemental sampling are not allowed as they are not prescribed by paragraph 323.16. Inappropriate forms of judgemental sampling for representative testing include intentional bias sampling and block sampling.

323.30 Intentional Bias - the auditor selects from the population based on some pre-determined criteria. The auditor consciously selects items which are believed to be representative. This form of selection is distinct from targeted testing which is a substantive sampling technique but is not appropriate for representative audit sampling. If this approach is considered, the audit team should implement a targeted testing or stratified approach which incorporates an element of targeted testing.

323.31 Block Sample - involves the selection of some contiguous items, for example items in sequence. It is common when conducting cut-off testing. This method of selection is a non-sampling technique and does not result in a representative sample.

Choosing a sample before period end (Interim testing)

323.32 Sampling populations will typically be for the full financial year. Where controls testing or substantive testing is to be performed before the end of the period, the auditor can estimate the total population and determine the sample size for the estimated population. The auditor can then test those sampled items that have occurred at interim and test the remaining sample at final. There are different methods of implementing this approach but any approach used must allow for each unit in the complete population having an equal chance of selection.

323.33 Should an auditor wish to draw a conclusion at a point in time before the period end, the population from which the sample is chosen needs to be defined at that point in time and the sample size generated accordingly.

Deviations and misstatements

323.34 The following paragraphs provide guidance on evaluating deviations and misstatements under the headings ‘controls testing’ and ‘substantive tests of detail’, respectively. When applying this guidance, regard should be given to the requirement for the auditor to obtain a high degree of certainty that deviations or misstatements are not representative of the population, by performing additional audit procedures.

Controls testing

323.35 The control testing sampling template is used for controls testing when using ANAO non-statistical sampling. Note that the sample sizes which are typically used in initial samples do not allow for any exceptions. The history of control deviations should be considered in deciding whether to use this approach.

323.36 If the auditee is able to fix identified control errors which are demonstrated to be isolated instances, the auditor can then select a ‘remediated sample’ and retest the control to form a conclusion on its effective operation. A ‘remediated sample’ is an additional sample selected from the population; the size of the remediated sample is smaller than the original sample and is generated by the control testing sampling template using the same initial parameters.

323.37 Remediation of errors is only appropriate where the auditee intends to revise all affected control events for the period and there is an intention to rely on these controls. Where the auditor is unable to determine if the exceptions are isolated instances which can be remediated, it may be possible to quarantine those transactions in which the errors where identified. For example, there may be a one-week period where a contractor was responsible for the operation of the control and it is possible to exclude transactions for that week from the population. The auditor can then select a remediated sample excluding those transactions and retest the control to form a conclusion on the controls for that part of the population not excluded.

Substantive tests of detail

323.38 Where the financial statements audit non-statistical sampling approach is used, any deviations would be assessed in accordance with the financial statements audit approach to projecting financial misstatements as described in Chapter 114 of the FSASG volume of this manual and the relevant provisions described above of the Online Audit Guide.

323.39 When applying a binary / attribute representative sampling approach (either accept reject or performance audit representative sampling), the audit team must assess whether the level of error/deviation detected in the initially chosen sample is acceptable given the expected level of error set when the sample size is chosen. If the error rate is greater than initially expected, both sampling approaches require additional samples to be selected and tested or the application of an alternative sampling approach.

323.40 In determining whether a binary / attribute sampling approach is an efficient and effective audit approach, audit teams should consider the impact of the expected error rate on the sufficiency and appropriateness of the audit evidence. For example, if the expected error rate is 15% and the quantitative materiality for the related performance error is 5% the audit testing completed will not be sufficiently precise for the auditor to conclude that the performance result is not materially misstated.

323.41 Projected errors based upon representative tests of details may be suitable for determining whether the residual risk resulting from identified misstatement is acceptable to the auditor but are not suitable bases for the auditee making an adjustment to their reported results. Where the detected error rate is too high for the auditor to tolerate, the auditee will need to perform its own procedures to determine the appropriate amendments required to allow the auditor to perform additional testing to be satisfied that the adjusted figure is not materially misstated.

323.42 In determining the level of assurance required from a representative sample, all substantive sampling approaches provide for a high or moderate level of assurance which indicates the level of sampling risk. In some circumstances a low level of assurance with a higher level of sampling risk may be appropriate. A sample size giving a high level of assurance from a representative sample may be required where the sample being selected is the principal evidence over a performance measure at a moderate or higher level of risk.

323.43 Alternatively, if the audit had obtained evidence about the design, implementation and operating effectiveness of controls over the performance measure it is less likely that a high level of assurance is required from the substantive audit sample. Similarly, if there are multiple substantive samples or other sources of substantive audit evidence (such as an analytical review procedure or evidence obtained from relying upon financial audit procedures) may support the audit team to conclude that a lower level of assurance is required from the planned substantive sample.

324. Representation letters

Policy

324.1 All ANAO performance statements audits shall be supported by written representations (representation letters) consistent with ASAE 3000 and this policy.

324.2 Representation letters (RLs) shall be signed by the head of management who has appropriate responsibilities for the performance statements and knowledge of the matters concerned.

324.3 Representations are required from management, as follows:

  1. for non-corporate Commonwealth entities, the Accountable Authority shall sign the Management Representation Letter (MRL)19; and
  2. for corporate Commonwealth entities the Chief Executive Officer (CEO) shall sign the MRL.

324.4 The Engagement Executive shall consider whether it is necessary to also obtain management representations from the senior executive(s) with overall responsibility for the preparation of the performance statements, as delegated by the Accountable Authority or CEO.

324.5 The representations to be obtained shall include all representations required by the auditing standards, this policy and the approved template, including (but not limited to):

  1. that management has fulfilled its responsibility in accordance with the PGPA Act for the preparation of appropriate and accurate performance statements;
  2. that significant assumptions used in making any material estimates are reasonable;
  3. that management believe all uncorrected misstatements identified by the audit team do not result in material misstatement of the performance statements20; and
  4. that the entity has communicated to the ANAO:
    1. all deficiencies in internal control relevant to the engagement that are not clearly trivial and inconsequential of which the auditee is aware; and
    2. any events subsequent to the period covered by the performance statements up to the date of the final report that could have a significant effect on the performance statements or the auditor’s report thereon.

324.6 Where any representation in the approved template is proposed by the engagement team to be excluded this shall only be done with the approval of the PSRG GED. This requirement does not include minor amendments of an editorial nature or the exclusion of representations that the template provides are only required in specific circumstances where those circumstances are not applicable.

324.7 If management or TCWG refuse to provide a specific representation, the auditor shall:

  1. discuss the matter with management or TCWG, as appropriate;
  2. re-evaluate the integrity of management and TCWG and evaluate the effect that this may have on the reliability of representations, both oral and written, and audit evidence in general; and
  3. take appropriate action including determining any additional effect on the auditor’s report (which in certain circumstances shall include a disclaimer of opinion).

324.8 The RL(s) shall be dated and signed the same date as the auditor’s report or as near as practicable to, but not after, that date.

Guidance

324.9 The auditor is required under the auditing standards to get written representations from management and, where appropriate TCWG, that they believe they have fulfilled their responsibilities, and to support other audit evidence in the performance statements. The written representations are written statements from management and TCWG to the auditor which attest to them having fulfilled these responsibilities and may be used to confirm other specific audit matters. A representation letter may be used to focus management’s and TCWG’s attention on particular matters and thus cause them to specifically address those matters in more detail than would otherwise be the case.

324.10 Written representations are requested from those responsible for the preparation of the performance statements. Those individuals may vary depending on the governance structure of the entity and relevant law or regulation; however, management (rather than TCWG) is generally the responsible party. Written representations may therefore be requested from the entity’s chief executive and, if considered appropriate, the management official with delegated authority for the preparation of the performance statements.

324.11 In rare and exceptional circumstances, the auditor may conclude that written representations should be sought from TCWG (i.e. the board of directors of corporate Commonwealth entities) as well as those sought from management as additional audit evidence to address a particular risk of material misstatement. Examples of such circumstances include:

  1. where the auditor believes that management have not discharged their responsibility for the preparation of the performance statements; or
  2. where the auditor considers it necessary to request representations which only TCWG are able to provide; for example, representations that relate to strategic decisions by the Board of Directors which only directors are able to provide.

324.12 Each year, PSRG releases an updated MRL template that reflects the latest relevant auditing standards and the PGPA Rule. These templates should be used and tailored for individual auditees, in particular where additional representations are required in the specific circumstances of an entity. Rarely, a representation in the PSRG template may be omitted if it is not required by the auditing standards and is not relevant to the entity. Approval for such omissions is required from the PSRG GED in accordance with 324.6.

324.13 PSRG does not maintain a template that can be used to obtain written representation from TCWG. When an Engagement Executive decides to obtain written representations from the directors of a corporate Commonwealth entity, those written representations should be in accordance with the ANAO Auditing Standards. The Engagement Executive should consult with PSRG before seeking written representations from directors.

324.14 When there is a delay between signing the RL(s) and the auditor’s report, the auditor should consider the necessity to undertake additional procedures to ensure that no matters have arisen subsequent to the date of the RL(s) which impact on the auditor’s report.

324.15 Written representations provide necessary but not sufficient audit evidence; that is, a representation does not in itself provide sufficient appropriate audit evidence. Circumstances where other appropriate audit evidence does not exist are anticipated to be relatively rare. However, if they do arise, such circumstances can give rise to a limitation of scope, and where it is material, the matter should be referred to QTAC as per the ANAO Audit Manual — Shared Content, paragraph 8.10.

324.16 If management or TCWG provide a representation which is contradicted by other audit evidence, the auditor should investigate the circumstances and reconsider the reliability of other representations made as necessary.

324.17 The auditor is required to re-consider the possible effects on their audit conclusion of the performance statements if there is doubt about the integrity of management or TCWG. This occurs when the representations required are not reliable, or if the representations requested are not provided.

325. Evaluating misstatements and forming the audit conclusion

Background

325.1 In considering misstatements identified during the audit, the auditor’s objective under ASA 450 Evaluation of Misstatements Identified during the Audit is to evaluate:

  1. the effect of identified misstatements on the audit; and
  2. the effect of uncorrected misstatements, if any, on the performance statements.

Policy

Accumulation of misstatements

325.2 All misstatements identified shall be accumulated, except those that are ‘clearly trivial’. The accumulation of misstatements requires misstatements that are not clearly trivial to be documented in the audit file in a manner that allows their cumulative effect to be assessed by the engagement team.

325.3 A misstatement is clearly trivial if it is clearly inconsequential, whether taken individually or in aggregate and whether judged by any criteria of size, nature or circumstances.

325.4 For quantitative misstatements, the auditor shall have regard to the size of the misstatement with respect to the performance materiality established for the relevant performance measure.

325.5 For qualitative misstatements, including those related to narrative performance information, the auditor shall judge them to be clearly trivial where, after assessing the nature and circumstance of the misstatement, it is assessed to be clearly inconsequential either individually or in aggregate to the measurement of the related activity or activities.

Consideration of identified misstatements as the audit progresses

325.6 As the audit progresses, the audit team shall evaluate the effect of accumulated misstatements, including those corrected by management, on:

  1. the overall audit strategy and audit approach; and
  2. any materiality threshold set for each performance measure.

325.7 The audit strategy and approach shall be revised if the nature of identified misstatements (including corrected misstatements) and the circumstances of their occurrence indicate:

  1. that other misstatements may exist which, when considered alongside the misstatements accumulated to date, could be material; or
  2. the existence of deficiencies in internal control not previously identified that give rise to additional risk of material misstatement.
Communication and correction of misstatements

325.8 All accumulated misstatements shall be reported in writing to the appropriate level of management. Management shall be asked to adjust accumulated misstatements in the performance statements.

Evaluating the effect of uncorrected misstatements

325.9 Uncorrected accumulated misstatements shall be assessed, both individually and in aggregate, and a conclusion made as to whether they are material to the performance statements in accordance with Chapter 325 of this manual.

325.10 Any misstatement combination of misstatements that has the effect of changing whether or not a related target for the performance measure was met shall be considered a material misstatement to the performance measure unless there are other qualitative factors that rebut this presumption.

325.11 Any misstatement, except those that are clearly trivial, where the extent of misstatement is known by the auditor with surety (including that the misstatement does not involve professional judgement and is not subject to sampling risk) that is communicated to the auditee and the auditee does not take all reasonable steps to correct in the performance statements, is deemed to be material.

Accumulating the effect of uncorrected misstatements

325.12 All uncorrected misstatements shall be initially aggregated at the level of each performance measure and the auditor shall consider the cumulative effect of all misstatements identified against an individual performance measure, including but not limited to:

  1. the individual and combined effect of misstatements across multiple performance targets for composite performance measures; and
  2. misstatements (including misstatements by omission) in the accompanying disclosures.

325.13 In addition, all misstatements (including those that have not been assessed as giving rise to a material misstatement of an individual performance measure) shall be aggregated at all levels of accumulation that are presented in the performance statements and assessed whether they cumulatively represent a misstatement at that level. This shall include the purpose, key activity and program levels if those levels are included in the performance statements.

Communication with those charged with governance

325.14 The audit team shall communicate to TCWG all uncorrected misstatements and the effect that they, individually or in aggregate, may have on the conclusion in the auditor’s report. Uncorrected misstatements that may contribute to a material misstatement shall be identified individually, as their impact on the audit conclusion will need to be considered. The auditor shall request that uncorrected misstatements be corrected.

Documentation

325.15 The auditor shall document each misstatement that is to be accumulated, each other misstatement, and conclusions as to whether the misstatements are material individually or in aggregate.

Prior period misstatements identified in the current audit

325.16 During the course of an audit, teams or the auditee might discover misstatements that relate to prior periods. In such circumstances, the auditor shall:

  1. evaluate the effect of uncorrected misstatements on the conclusion formed in the prior periods, taking into account the newly-discovered misstatements; and
  2. consider the effect, if any, on the current year audit conclusion.

325.17 Material prior period misstatements require consultation as per ANAO Audit Manual - Shared Content, paragraph 8.17.

Forming the audit conclusion

325.18 Having identified, accumulated and assessed any uncorrected material misstatements Engagement Executives shall form the overall audit conclusion in accordance with ASAE 3000, including assessing whether sufficient and appropriate audit evidence has been obtained to support the proposed audit conclusion.

325.19 Where the Engagement Executive has proposed or considered then not proposed any of the following21, it shall be referred to QTAC for determination in accordance with the QTAC policy and processes specified in Chapter 8 of the ANAO Audit Manual - Shared Content:

  1. a qualified audit conclusion;
  2. an adverse audit conclusion;
  3. a disclaimer of conclusion; or
  4. an other matter or emphasis of matter paragraph.

Guidance

Types of misstatement

325.20 There are four main types of misstatements in quantitative and qualitative performance measures:

  1. omissions of information;
  2. incorrect claims in information;
  3. misleading or unclear representation of information; and
  4. bias in information so that positive aspects of performance are given focus in reporting with negative aspects of performance omitted.
Accumulation of identified misstatements

325.21 Misstatements that are not clearly trivial are accumulated in the audit file in a manner that allows for referral to the auditee and evaluation by the audit team.

325.22 There are two main ways that uncorrected misstatements will be assessed when determining the cumulative effect of uncorrected misstatements on the audit conclusion.

  1. The engagement team will assess the impact of all identified uncorrected misstatements on individual performance measures. Where there is more than one misstatement for a particular performance measure the auditor may conclude that any one misstatement is not material but the cumulative effect of the misstatements means that users are misled.
  2. Following the assessment of accumulated misstatements at the individual performance measure level, the engagement team then considers the uncorrected misstatements cumulatively against key activities/programs, then outcomes, then the entity itself.

325.23 As each auditee presents its information differently (for example by activities, programs etc.), the approach to accumulating misstatements at levels higher than individual misstatements may differ for each entity. The principle however is consistent that the starting point is determining if there is a material misstatement at the performance measure level then considering the impact of that misstatement at each higher level presented by the auditee in the performance statements until the overall impact on the fair presentation of performance at the whole statement level is considered.

325.24 To help in evaluating the effect of misstatements, misstatements may be categorised as follows:

  1. factual misstatements: the amount of the misstatement is known;
  2. judgmental misstatements: differences arising from the judgements of management about accounting estimates that the auditor considers unreasonable, or the selection or application of accounting policies that the auditor considers unreasonable;
  3. projected misstatements: the auditor’s best estimate of misstatements in populations based on projections of misstatements in sampling. Note that as projected misstatements are only an estimate of misstatements, management should not adjust the performance statements without further investigation and determining the actual misstatement; and
  4. misstatements that have attributes that make them material by nature.

325.25 After considering misstatements individually, the auditor will need to consider the remaining uncorrected misstatements in combination with others. The practitioner is unlikely to be able to accumulate misstatements and consider them together in the same way as a financial statements audit for a performance statement comprising diverse and varied activities and performance measures. However, the auditor will still need to consider whether there are misstatements that relate to the performance statements as a whole.

325.26 The auditor is required to accumulate all the uncorrected misstatements identified during the engagement other than those that are clearly trivial. This should be documented on a schedule so that the uncorrected misstatements can be considered collectively. While it will not be possible to add up qualitative misstatements or those relating to different elements, it may be possible to group the misstatements according to the elements in the performance statements.

325.27 The auditor should endeavour to group related uncorrected misstatements at the lowest practicable level, for example at the program or key activity. By grouping at this level, misstatements can be collectively assessed against the program or key activity to form a view of the presentation of the overall outcome for that level. The outcomes for all programs or key activities can then be assessed collectively.

325.28 Misstatements of subject matter information in narrative form may need to be concisely described on the schedule for accumulation purposes.

Consideration of identified misstatements as the audit progresses

325.29 A misstatement may not be an isolated occurrence. A misstatement arising from a breakdown in internal control may indicate that other misstatements also exist. Similarly, an inappropriate assumption identified in one measure may suggest that misstatements exist in other measures using the same assumption.

325.30 Where frequent and/or material misstatements have been identified during the engagement, the auditor should consider if the assessments made to date, about whether misstatements are clearly trivial, should be revised if initial expectations about the level of misstatements in the subject matter were too low. If we identify an increased number of misstatements that have been deemed clearly trivial, we may need to revise these assessments until we are satisfied that misstatements treated as clearly trivial, either individually or aggregated with other adjustments, are definitely trivial to the performance statements.

325.31 During the conduct of the audit and as more misstatements are identified the risk increases that the accumulated misstatements taken together would have a significant impact on the decisions of users of the performance statements, even if no single performance measure is misstated by more than the materiality thresholds set during the planning of the audit. In these situations, the audit team needs to consider whether the audit strategy or audit plan need to be reconsidered to reduce this risk. The Engagement Executive may consider explaining to management (and, if considered appropriate, TCWG) the implications for the audit when misstatements are not corrected and strongly encourage them to correct all misstatements that are not clearly trivial. Weaknesses in these areas may also present an audit finding that should be reported in accordance with Chapter 333 of this manual.

Communication and correction of misstatements

325.32 The audit team should promptly advise all accumulated misstatements and uncorrected misstatements related to prior periods to the appropriate level of management, and request that they be corrected. The appropriate level of management is the one that has responsibility and authority to evaluate the misstatements and to take the necessary action. Should management not correct a misstatement, the auditor shall obtain an understanding of management’s reasons and use that understanding when evaluating the unadjusted misstatements for the impact on the performance statements as a whole. If the effect of the unadjusted differences is material, a modified audit report will need to be considered. Uncorrected misstatements that do not contribute to a material misstatement may be advised in aggregate in appropriate cases.

325.33 While there is no requirement for comparative information or for performance measurements to be used year-on-year, where the ANAO has audited the previous year’s performance statements, the audit team needs to be alert to the possibility that the correction of a misstatement identified in that audit by adjustment of the current year’s figures might give rise to a material misstatement in the current year’s figures (i.e. the adjustment causes the current year figures to be materially different to what they would have been had there been no error in the current and prior periods). For example, if the performance measure related to annual production of widgets, a misstatement last year that overstated widget production by 10,000 may have the effect of understating the current year measure by the same amount. In this situation, retrospective restatement and/or suitable disclosure may be necessary if the effect on the current year is material.

Evaluating the effect of uncorrected misstatements

325.34 Before the evaluation of the effect of uncorrected misstatements, the audit team shall re-examine materiality determined during the planning based on the actual performance measure results to confirm whether it remains appropriate.

325.35 The circumstances related to some misstatements may cause the auditor to evaluate them as material, individually or when considered together with other misstatements accumulated during the audit, even if they are lower than the quantitative materiality threshold set. For example, the extent to which a misstatement relates to a fraudulent event or transaction.

325.36 When reviewing individual misstatements, the auditor should assess quantitative and qualitative materiality by considering, for example, whether the item:

  1. is capable of precise measurement or whether it arises from an estimate and, if so, the degree of imprecision inherent in the estimate;
  2. masks a change in overall trends in entity performance;
  3. concerns a segment or other portion of the entity’s business that has been identified as playing a significant role in the entity’s operations or results;
  4. affects material compliance with legal or regulatory requirements;
  5. has the effect of increasing management remuneration, for example, to satisfy the requirements for the award of bonuses or other incentives;
  6. involves concealment of an unlawful transaction;
  7. raises any other issues relating to the entity’s business or industry; and
  8. may affect the decisions of users in response to certain types of disclosures.
Written representations

325.37 The auditor is required to request a written representation from management and, where appropriate, TCWG about uncorrected accumulated misstatements (Refer to Chapter 324 Representation letters).

Minimum documentation - evaluating misstatements

325.38 The following information should be documented:

  1. all misstatements accumulated during the audit and whether they have been corrected; and
  2. the auditor’s conclusion as to whether uncorrected misstatements are material, individually or in aggregate, and the basis for that conclusion.
Forming the audit conclusion

325.39 In an attestation audit, the audit conclusion is formed over the subject matter information of the audit, which for performance statements audits are the performance statements themselves. A modified audit conclusion is required when the performance statements are not free of material misstatement or where the auditor is unable to conclude whether performance statements are free of material misstatements. The term ‘modified conclusion’ covers all audit conclusions except for unqualified.

325.40 Consequently, the identification of possible or actual non-compliance with the broader performance statements framework or the entity’s performance statements preparation process is not automatically a cause for a modified auditor’s report. Instead, in forming the audit conclusion the auditor must assess the impact of any such matter on the performance statements as a whole and through the frame of material misstatements.

325.41 Misstatements are differences between the performance statements and the auditor’s assessment of the appropriate evaluation of the events or transactions being measured in accordance with the performance statements preparation framework specified in the audit criteria. Misstatements, including omissions, are considered to be material if they, individually or in the aggregate, could reasonably be expected to influence relevant decisions of intended users taken on the basis of the subject matter information.

325.42 As such, in order to form the basis for a modified audit conclusion any issue or combination of issues must:

  1. arise from a material error, omission or falsification (or a potential error, omission or falsification for which audit evidence cannot be obtained) of the performance statements themselves;
  2. represent material non-compliance with the performance reporting requirements included in the audit criteria; and
  3. in the auditor’s judgement, the outcome of (a) and (b) above, is judged by the auditor to reasonably be expected to influence the relevant decisions of intended users of the performance statements.

325.43 Under ASAE 3000 there are four possible conclusions that the auditor can come to:

  1. unqualified — where the auditor concludes that the performance statements comply in all material respects with the audit criteria;
  2. qualified — where the auditor concludes that the performance statements comply with the criteria except for a certain number of material but not pervasive misstatements, or where the auditor is not able to obtain sufficient appropriate evidence over a matter that poses a risk of giving rise to a material but not pervasive misstatement (also known as a scope limitation);
  3. adverse — where the auditor concludes that the performance statements do not comply with the criteria because of the existence of material and pervasive misstatements; or
  4. disclaimer of conclusion — where the auditor is not able to obtain sufficient appropriate audit evidence and the possible impact of this scope limitation is both material and pervasive to the performance statements as a whole.

325.44 To form an audit conclusion, the auditor first must conclude on whether sufficient appropriate audit evidence has been obtained, and where there are deficiencies in the evidence, seek to obtain further evidence. Having considered all the evidence that the auditor has obtained, including evidence that contradicts the information and judgements made by the preparer of the performance statements, if the auditor assesses that sufficient audit evidence has been obtained, a conclusion can be drawn and reported in the auditor’s report.

325.45 Where there is sufficient appropriate audit evidence and no unadjusted misstatements in the performance statements, then an unqualified conclusion can be drawn.

325.46 Where there is sufficient appropriate audit evidence and some unadjusted misstatement, the auditor forms an unqualified, qualified or adverse conclusion depending upon the materiality and pervasiveness of the misstatements.

Assessment of Unadjusted Misstatements

Conclusion Provided

Expression of conclusion

Not material, individually or collectively

Unqualified Conclusion

In my opinion, in all material respects the annual performance statements for (the reporting period) are properly prepared in accordance with (the criteria).

Material but not pervasive

Qualified

In my opinion, in all material respects, except for the effect(s) of the matter(s) described in the Basis for Qualified Conclusion paragraph, the annual performance statements for (the reporting period) are properly prepared in accordance with (the criteria).

Material and pervasive

Adverse

Because of the significance of the matter(s) described in the Basis for Adverse Conclusion paragraph, the annual performance statements for (the reporting period) are not properly prepared in accordance with (the criteria).

     

325.47 Wherever a conclusion other than unqualified is formed, the auditor’s report is required by ASAE 3000 paragraph 69 to include a Basis for Qualified/Adverse/Disclaimer of Conclusion paragraph that describes the reasons for modified conclusion.

325.48 The assessment of the materiality of unadjusted misstatements, individually and collectively, is described in Chapter 325 Evaluating misstatements and forming the audit conclusion.

325.49 Uncorrected misstatements will be pervasive where they also feature one or more of the following characteristics:

  1. they are not confined to specific aspects of the performance statements (e.g. there are material errors in a substantial number of performance measures affecting a number of key activities being measured);
  2. if they are confined, they relate to a substantial proportion of the performance statements (e.g. there is a very significant unadjusted misstatement affecting a very important performance measure relating to a major activity of the entity); or
  3. in relation to disclosures, they are fundamental to the users’ understanding of the performance statements (e.g. the performance statements do not accurately describe the activities or any limitations in the accuracy of the performance measure).

325.50 In circumstances where the auditor is not able to gather sufficient appropriate audit evidence (after considering any practicable means to gather the necessary evidence), the opinion is modified in respect to the possible effects of that scope limitation.

Possible Effects of Scope Limitation

Conclusion Provided

Expression of conclusion

Material but not pervasive

Qualified

In my opinion, in all material respects, except for the possible effect(s) of the matter(s) described in the Basis for Qualified Conclusion paragraph, the annual performance statements for (the reporting period) are properly prepared in accordance with (the criteria).

Material and pervasive

Disclaimer

Because of the significance of the matter described in the Basis for Disclaimer of Conclusion section of my report, I have not been able to obtain sufficient appropriate evidence to form a conclusion on the annual performance statements for (reporting period)’s compliance with (the criteria). Accordingly, I do not express a conclusion on those performance statements.

     

325.51 In circumstances where the auditor is not able to gather sufficient appropriate audit evidence (after considering any practicable means to gather the necessary evidence), the opinion is modified in respect to the possible effects of that scope limitation.

325.52 In all circumstances where a conclusion other than unqualified is being considered, consultation with QTAC is required. In accordance with ANAO Audit Manual — Shared Content Chapter 8, a meeting of QTAC should be convened to consider the Engagement Executive’s basis for assessing that a modified conclusion may be required and form a recommendation to the Auditor-General about an appropriate ANAO response to the circumstances, including the appropriate conclusion to be drawn. In accordance with ANAO Audit Manual — Shared Content Chapter 8, the Auditor-General is the final decision maker on all matters referred to QTAC.

Relationship between identified misstatements and the audit conclusion

325.53 Any combination of misstatements that is collectively material to the overall performance statements would give rise to at least a qualified audit conclusion. In making the assessment of whether misstatements are collectively material and, there are two main frames for consideration, which may also affect the description of the modification in the auditor’s report:

  1. by performance measure; and
  2. by criteria.

325.54 Some audit criteria, such as compliance with the PGPA legislative framework, are unlikely to be specifically related to particular activities or performance measures. It will therefore only be meaningful to judge their overall impact based upon the collective impact of any misstatements or issues on the performance statements as a whole. For example, failure of the Accountable Authority to state that in their opinion the performance statements accurately present the performance of the entity during the period cannot be isolated to particular performance measures and, given how fundamental this assertion is to the understanding of the users and to the ANAO in obtaining sufficient appropriate audit evidence, would likely be regarded as pervasive.

325.55 Other criteria, such as the accurate presentation of the results of the performance measures, are likely to be specifically related to narrower aspects of the performance statements. Unless such issues are the result of systematic failures in the preparation of the performance statements, the auditor could likely form a view and express a Basis for Conclusion that the particular performance measure was misstated.

325.56 To determine what the overall impact is on the audit conclusion, when assessing at the activity/performance measure level, the application of materiality should consider the information needs of the users, including:

  1. how significant is the misstatement to the purpose (is it particularly large or important relative to the base measure)?
  2. are there other misstatements also impacting upon the program (is the collective misstatement relatively large or important relative to the program or key activity)?
  3. how significant is the performance measure/activity to the related program or key activities?
  4. is the misstatement material in nature, including:
    1. does it change whether or not the entity is able to report that the performance measure’s target has been achieved?
    2. does it impact upon a previously reported position or the change in an overall trend or expectation of users?
    3. does it relate to non-compliance with key legislation or relate to criminal or fraudulent behaviour?
    4. was the misstatement deliberately made by management or does management refuse to adjust the error for reasons other than immateriality?

325.57 For example, a very large misstatement of a performance measure (for example, reporting that 10,000 widgets were produced in 20XX where 500 of those widgets were actually produced in 20XY) may still not be material to the overall audit conclusion if that error was isolated and did not relate to a major activity of the entity. On the other hand, a relatively small error of 100 widgets out of 10,000 would likely be material if there was evidence that management had deliberately misstated the result to achieve a target.

325.58 To determine what the overall impact is on the audit conclusion, when assessing at the performance measure level, the application of materiality should consider:

  1. how significant is the deviation from the performance measure relative to the performance measure itself (where the auditee has reported a performance result that is quantitatively in error but has fallen far short of the performance target and reported as such, we may assess in qualitative terms that a misstatement is less material)?
  2. how significant is the performance measure to the overall audit objective (can the performance statements meet the overall objective despite not meeting this particular performance measure)?
  3. are there deviations from other performance measures also impacting the overall audit objective (how does this performance measure accumulate with others to meet the overall audit objective)?

325.59 Identified deficiencies against one performance measure do not necessarily mean that the performance statements as a whole are materially misstated, the auditor’s report may still conclude that the performance statements are prepared in all material respects in accordance with the audit criteria except for the specific matter. For example, where one or more performance measure has not been met, and those deviations have been identified, accumulated, and assessed material but isolated and not considered pervasive, an ‘and except for’ qualification may suffice.

Engagement performance — reporting

Chapters 331 to 334

331. Communicating audit findings

Background

331.1 The ANAO Auditing Standards define management and TCWG. In addition, legislation or other authority may require or permit audit findings to be reported to a responsible Minister and to Parliament.

331.2 The ANAO Auditing Standards require particular audit findings to be communicated to management and TCWG, respectively.

331.3 As required by the ANAO Auditing Standards, audit findings to be communicated to management include:

  1. deficiencies in internal control, including those to prevent or detect fraud;
  2. an actual or possible fraud;
  3. non-compliance with laws and regulations; and
  4. misstatements that are not clearly trivial for correction and material misstatements indicative of a deficiency in internal control.

331.4 As required by the ANAO Auditing Standards, audit findings to be communicated to TCWG include:

  1. most of the audit findings communicated to management, including all significant deficiencies in internal control in writing;
  2. fraud involving management or certain others;
  3. intentional and material non-compliance involving management;
  4. audit matters (findings per this policy) of governance interest; and
  5. all uncorrected misstatements (see Chapter 325 Evaluating misstatements and forming the audit conclusion for further policy and guidance on communication of misstatements to TCWG).

331.5 Audit findings are categorised according to the criteria below.

Policy

331.6 Audit findings shall be categorised using the following criteria:

  • Category A: Issues that pose a significant risk to the entity’s performance statements preparation; these include issues that could result in the material misstatement of the entity’s performance statements;
  • Category B: Issues that pose moderate risk to the entity’s performance statements preparation; these may include prior year issues that have not been satisfactorily addressed;
  • Category C: Issues that pose a low risk to the entity’s performance statements preparation; these may include findings that, if not addressed, could pose a moderate risk in the future;
  • Category L1: Instances of significant potential or actual breaches of the Constitution, and instances of significant non-compliance with the entity’s enabling legislation, legislation that the entity is responsible for administering, and the PGPA Act; and
  • Category L2: Instances of non-compliance with subordinate legislation such as the PGPA Rules.
Audit findings to be communicated to management

331.7 All audit findings, categorised consistent with paragraph 331.6 above, shall be communicated to the appropriate level of management in writing.

Audit findings to be communicated to those charged with governance

331.8 As a minimum, audit findings in categories A, B, and L1 shall be communicated to TCWG in writing.

Audit findings to be reported to the parliament

331.9 The content of Audit Reports on these matters to the Parliament is determined by the Auditor-General.

331.10 Where an Engagement Executive considers that non-secret information shall be excluded from a report to Parliament on the grounds that it is sensitive within the meaning of section 37 of the A-G Act, the Engagement Executive shall provide a recommendation through the GED PSASG to the Auditor-General for decision. Information that is of a secret or top-secret nature shall be discussed in person with the Deputy Auditor-General or Auditor-General.

Rule for reporting audit findings to a higher level of authority

331.11 Audit findings shall be advised in writing to the appropriate level of management before being reported to the responsible Minister. Equally, the responsible Minister shall be advised in writing of audit findings before the audit findings can be reported to Parliament.

Guidance

Appropriate level of management

331.12 The determination of the appropriate level of management requires consideration of the management structure of the entity and is a matter of professional judgement. Ordinarily, it would include the senior executive(s) (or equivalent) delegated with overall responsibility for preparation of the performance statements and can include those who have responsibilities for corporate functions and IT systems.

Sensitive information

331.13 Situations where information should not be included in public reports are detailed in subsection 37(2) of the A-G Act. Reasons that information is sensitive are:

  1. it would prejudice the security, defence or international relations of the Commonwealth;
  2. it would involve the disclosure of deliberations of decisions of the Cabinet or of a Committee of the Cabinet;
  3. it would prejudice relations between the Commonwealth and a State;
  4. it would divulge any information or matter that was communicated in confidence by the Commonwealth to a State, or by a State to the Commonwealth;
  5. it would unfairly prejudice the commercial interests of any body or person; or
  6. any other reason that could form the basis for a claim by the Crown in right of the Commonwealth in a judicial proceeding that the information should not be disclosed
Individual reports to ministers – interim and year end

331.14 Individual reports to Ministers need to include all information planned to be tabled in the relevant parliamentary report, being the:

  1. Performance Statements Year End Report.
Portfolio reports to ministers

331.15 The purpose of the year end portfolio report is to provide the Minister with a succinct report on the results of and major issues arising from performance statements audits of entities within the Minister’s portfolio, in addition to the audit findings. The report lists reporting entities within the Minister’s portfolio, indicating whether the audit reports are modified and whether significant issues arose during the audit.

331.16 Portfolio wide issues should be highlighted within the report, where possible.

Reference to third parties

331.17 Where an audit finding includes a description of the role of a third party, such as an accounting firm or IT services provider, direct reference to the third party should be avoided where possible. In circumstances where this may not be possible without compromising the context and clarity of the finding this should be discussed with the PSASG GED.

332. Distribution and timing of letters and written reports

Background

332.1 Letters and written reports are normally provided (under legislation, ASAE 3000 and ANAO policy) to:

  1. Management;
  2. TCWG, including Audit Committees;
  3. Ministers; and
  4. Parliament.

332.2 Generally, the basis and nature of letters to management and TCWG are sourced in ASAE 3000 and will be required for all performance statement engagements. Reports to Ministers and Parliament are sourced in legislation and are required for performance statements audits under the Commonwealth’s performance reporting framework. Where the performance statements audit is conducted under Section 40 of the PGPA Act the ANAO is required to report the outcome of the audit (the auditor’s report) to the requesting Minister, and the Minister is required to table the ANAO’s report and the related performance statements in the Parliament.

332.3 It is important to note that there are situations where legislation or the auditing standards require matters to be reported promptly. Formal reports required in these situations are in addition to the regular reports required by this policy.

332.4 Auditors may also engage in correspondence with entities to resolve particular matters in the course of the audit, for example, about the application of performance measures.

Policy

Letters to management and TCWG

332.5 Letters detailing audit findings and observations shall be provided to management and TCWG, including:

  1. at interim; and
  2. at the end of the audit.22

332.6 At interim, the letter shall address, at a minimum:

  1. ANAO views on the appropriateness of performance measures adopted by the auditee;
  2. summary information on the outcome of other testing performed at the date of the letter, including any controls deficiencies identified;
  3. identified or suspected fraud;
  4. identified or suspected breaches of laws and regulations, other than those that are clearly inconsequential; and
  5. indicators of bias in the preparation of the auditee’s performance information.

332.7 Before releasing written letters to the management or TCWG of Departments of State or other entities included in the ANAO’s Audit Work Program, a draft shall be provided to the Engagement Executive in PASG responsible for the portfolio and to the Engagement Executive responsible for the annual financial statements audit. Any issues raised by PASG or FSASG need to be resolved before the formal release of correspondence.

332.8 A Closing Letter shall be provided for every performance statements audit unless otherwise approved by the PSASG GED to the (head of the) Accountable Authority, including the information required by Chapter 334 of this manual. The Engagement Executive shall issue the Closing Letter at the same time or before the provision of the Audit Report on the performance statements unless the PSASG GED approves a different timeframe.

332.9 Where there are findings and observations to be reported to management or TCWG that are not finalised at the time the Closing Letter is issued, the outcome of those matters shall be reported to management or TCWG as appropriate in writing as soon as practicable.

Audit report on the performance statements

332.10 The audit report on the performance statements shall be signed and provided within 2 business days after the performance statements are signed.

332.11 Engagement Executives shall notify the PSASG GED where the auditor’s report will not be signed and provided within 2 business days after the performance statements are signed.

Guidance

Reports to parliament

332.12 Under section 40 of the PGPA Act, providing the auditor’s report on an entity’s performance statements audit to the Parliament is the obligation of the requesting Minister. The ANAO would not ordinarily provide the auditor’s report to the Parliament in addition to this process but may exercise its power under section 25 of the A-G Act to report to the Parliament about observations and findings about the broader application of the performance reporting framework by the Commonwealth public sector.

332.13 Reports to Parliament are issued under section 25 of the A-G Act. This section allows the Auditor-General to cause a report to be tabled in either House of Parliament on any matter. The A-G Act requires that a copy of such a report be provided to the Prime Minister, the Minister for Finance and to any other Minister who, in the Auditor-General’s opinion, has a special interest in the report

333. Closing letter

Background

333.1 The Closing Letter is prepared to communicate matters that are directly relevant to the performance statements or that the auditing standards require be communicated before the performance statements are signed.

333.2 The distribution and timing of the Closing Letter are dealt with in Chapter 332 Timing and distribution of written reports.

333.3 The Closing Letter may also serve to replace other letters to management TCWG that detail the audit’s findings. Matters to be communicated as audit findings are identified in the Communicating audit findings policy (Chapter 331 of this manual).

Policy

333.4 The Closing Letter shall be in the prescribed form issued by PSRG and include all information identified in the prescribed form as minimum information, which shall include at least:

  1. stating that sufficient appropriate audit evidence has been obtained to provide a basis for the opinion in the auditor’s report, noting any outstanding audit work to be finalised;
  2. stating whether the conclusion in the auditor’s report is unmodified, and if modified, the nature of the modification23;
  3. include a schedule of unadjusted misstatements, and the effect that they, individually or in aggregate, may have on the opinion in the auditor’s report; and
  4. identify significant matters addressed during the audit.

Guidance

333.5 The Closing Letter is prepared on the basis that the content of the management representation letter and performance statements being signed are as anticipated.

333.6 The Closing Letter refers to other matters which are to be included in the auditor’s report. These matters can include a report required on legal or other regulatory requirements or a matter that is relevant to the users’ understanding of the audit, the auditor’s responsibilities or the auditor’s report.24

333.7 The Closing Letter may also include the following elements:

  1. include a schedule of audit adjustments made;
  2. discuss the final audit fee;
  3. acknowledgement of support received from the auditee; and
  4. details of the planned beginning of the audit of the performance statements for next financial year.

334. ANAO auditor’s reports on performance statements

Background

334.1 Where an audit is undertaken under section 40 of the PGPA Act the ANAO is required to report the outcome of the audit (the auditor’s report) to the requesting Minister, and the Minister is required to table the ANAO’s report and the related performance statements in Parliament.

334.2 The form and content of ANAO auditor’s reports on performance statements are determined by the requirements of:

  1. the legislation or arrangement under which the audit is conducted; and
  2. the relevant auditing standards.

334.3 PSRG prepares proforma ANAO auditor’s reports for Commonwealth entities.

Policy

334.4 The Engagement Executive shall prepare the ANAO auditor’s report on each set of performance statements for which the executive is responsible consistent with the designated proforma prepared by PSRG, where such a proforma exists.

334.5 Where an Engagement Executive considers that a variation to the proforma ANAO auditor’s report is required, the proposed variation shall not be used unless approved by the GED PSRG.

334.6 Each ANAO auditor’s report on performance statements shall make a statement on the ANAO’s independence. In the extremely rare circumstances where the independence requirements applicable to the audit cannot be met because of an unavoidable conflict between those requirements and the Auditor-General’s obligations to audit and report, an explanation of the conflict in the ANAO auditor’s report shall be considered.

334.7 The Engagement Executive shall confirm that the auditor’s report tabled in the Parliament under section 40(3) and, where relevant, published on either the Department of Finance or the auditee’s website is identical to that signed for the performance statements audit. Where differences are identified, the Engagement Executive shall request that the auditee or the Department of Finance correct any differences immediately. Where management does not correct identified differences, the Engagement Executive shall notify the PSASG GED.

Guidance

Addressee

334.8 ANAO auditor’s reports on the performance statements of Commonwealth entities are addressed to the requesting Minister under section 40 of the PGPA Act, which will either be the Finance Minister or the Minister who is responsible for the entity.

334.9 For Parliamentary Departments, the relevant presiding officer(s) are regarded as the responsible Minister under the PGPA Act.

334.10 Ministers of State are listed in the official Ministry List by portfolio (Parliamentary Secretaries and Ministers assisting another Minister are effectively regarded as Assistant Ministers). Where a portfolio has more than one minister, all those ministers administer the department with the effect that all ministers are formally able to administer the legislation associated with the department. In practice, each minister in a portfolio will have discrete areas of policy and legislative responsibility.25 The legislation associated with a department is prescribed in the Administrative Arrangements Orders (AAOs) made from time to time by the Governor-General.

334.11 The Ministry List, the AAO and the Legislation Handbook are updated as required and published on the website of the Department of the Prime Minister and Cabinet at the Current Ministry list.

Independence statement within the ANAO auditor’s report

334.12 ANAO policy is to make an independence statement in each ANAO auditor’s report issued on financial statements. For performance statement audits conducted under the Australian Auditing Standards, ASAE 3000 paragraph 69(j) requires the auditor’s report to include a statement on independence.

334.13 Where there is a possibility that the applicable independence requirements cannot be met because of an unavoidable conflict between those requirements and the Auditor-General’s obligation to audit and report, an explanation of the conflict for inclusion in the ANAO auditor’s report needs to be considered. Such a situation is expected to be rare in practice.26

Referral to QTAC

334.14 ANAO policy in respect of QTAC outlines when a proposed ANAO auditor’s report is to be referred to QTAC. Refer to Chapter 8 of the Shared Volume of this manual.

Footnotes

1 Policies about achieving the appropriate level of protective security over information obtained during the course of the audit is addressed at Chapter 321 of this volume.

2 This is consistent with the principles set out in AUASB Guidance Statement GS023 Special Considerations – Public Sector Engagements.

3 This volume of the Audit Manual is written principally for audits performed under section 40 of the PGPA Act which is expected to be the typical audit authority for ANAO’s performance statements auditing function. References to section 40 can be taken to include references the other PGPA Act sections that are applicable to performance statements rather than adding multiple references throughout the document. In the event that instead, an audit is performed under section 18A of the A-G Act, audit teams should consult with PSRG to determine what, if any, application adjustments are required to apply the intent of this manual to such an audit.

4 Refer 3.

5 ASAE 3000, paragraph 32.

6 The approval by the Signing Officer is to assess that the performance statements are appropriate for the purposes of issuing an audit report. The Accountable Authority is responsible for the performance statements report.

7 Appropriateness’ refers to the auditee’s assessment about whether the performance measures that have been included in the entity’s portfolio budget statements, corporate plan and ultimately performance statements comply with the relevant requirements of the PGPA Rule. There are seven attributes of appropriate performance measures:

a. relates directly to one or more of the entity’s purposes or key activities — 16EA(a);

a. uses sources of information and methodologies that are reliable and verifiable — 16EA(b);

b. provides an unbiased basis for the measurement and assessment of the entity’s performance — 16EA(c);

d. where reasonably practicable, comprising a mix of qualitative and quantitative measures — 16EA(d);

e. including measures of the entity’s outputs, efficiency and effectiveness if those things are appropriate measures of the entity’s — 16EA(e);

f. providing a basis for an assessment of the entity’s performance over time — 16EA(f); and

g. where reasonably practicable to set a target, includes a specified target — 16E(5)(b).

8 RMG 134 s16 states that the performance framework builds on three main concepts: entity, purpose and activity.

9 Examples of reasons that would not be bona fide include, but are not limited to, measures that are omitted for the convenience of the auditee or to avoid an undesirable performance result.

10 For example, a department may have regulatory, technical or advisory functions that consume relatively low levels of resources but are central to their role in meeting the entity’s objectives and therefore would be considered important. The auditee’s key legislative and accountability frameworks and documents are the relevant sources for identifying core business of the entity. This includes the Administrative Arrangements Order for a Department of State and the entity’s enabling legislation for other Commonwealth entities. It also includes the objectives and functions provided to the entity in key legislation for which it is responsible and any government policy orders or ministerial directions. Other sources may be considered by audit teams on a case-by-case basis.

11 This relates to the use of performance measures that unreasonably aggregate the performance of activities / programs where the prescribed performance measures do not present a fair view of the auditee’s performance because it has the effect of disguising relevant aspects of the entity’s performance. For example, a performance measure that addresses three significant aspects of the entity’s performance may unreasonably aggregate results if the impact of two areas of good performance disguises materially poor performance in the remaining aspect.

12 The Finance Secretary Direction issued on 8 December 2021 under Subsection 36(3) of the Public Governance, Performance and Accountability Act 2013 requires that all programs report at least one performance measure.

13 Chapter 9 of the Shared Content of this policy manual requires TeamMate to be used to document audit engagements unless an alternative approach has been approved by the responsible GED in accordance with that chapter.

14 INTOSAI GUID3920 The Performance Auditing Process paragraph 75. While this INTOSAI guide is written for performance auditing, the hierarchy of evidence described is relevant for all assurance activities.

15ASA 530 Audit Sampling para 4. Note that ASAE 3000 does not contain guidance on the application of audit sampling to assurance engagements like performance engagements. ASA 530 is applied in this policy to the extent that it is relevant to performance statements auditing.

16 The relevant template for non-statistical controls sampling is the ‘Controls Testing — Sampling Template’ available in TeamStore.

17 The relevant template for non-statistical substantive sampling or accept-reject testing is the ‘Test of Details - Sampling Template’ available in TeamStore. The relevant template for statistical sampling is ‘Performance Audit Sampling Template’ available on Audit Central. Target testing may be documented using either template and census testing does not require the use of a template.

18 These circumstances would be considered deviations from the performance audit sampling policy as they are generally not suitable for performance audit purposes.

19 For a non-corporate Commonwealth entity, the CEO, however named, is normally the Accountable Authority. Audit teams will need to consider, on a case-by-case basis, who to get representations from where the chief executive and Accountable Authority are different, with particular reference to who signs the performance statements on behalf of the entity.

  • If the Commonwealth entity is a Department of State or a Parliamentary Department, the Accountable Authority is the Secretary of the Department.
  • If the Commonwealth entity is a listed entity, the Accountable Authority is the person or group of persons prescribed by an Act or the rules to be the accountable authority of the entity.
  • If the Commonwealth entity is a body corporate created by the law, the Accountable Authority is the governing body of the entity, unless otherwise prescribed by an Act or the rules.

20 The representation letter should include a schedule of identified uncorrected misstatements as an attachment.

21 This does not include circumstances where a misstatement is considered but the matter is substantively resolved through the provision of further audit evidence or the correction of an identified misstatement. Instead, it relates to circumstances where a qualification is considered and then decided against without any substantive change in the circumstances giving rise to the potential issue.

22 Wherever practicable it is preferable for audit findings to be included in the Closing Letter which is issued at the same time or before the issue of the auditor’s report. However, where this is not practicable the findings will need to be issued after that date in a Final Management Letter.

23 There are three types of modified opinions, namely, a qualified opinion, an adverse opinion, and a disclaimer of opinion.

24 Reports on other legal and regulatory requirements are dealt with in ASA 700. Matters relevant to the users’ understanding are dealt with in ASA 706.

26 Example wording for a modification to the independence framework statement usually made in our auditor’s report for a Commonwealth entity could be as follows: ‘In conducting the audit, I have followed the independence requirements of the ANAO, which incorporate the requirements of the Australian accounting profession to the extent that they are not inconsistent with the Auditor-General Act 1997 or other relevant legislation’.