(Ref: Para 3-16)

Direct engagements share many features of an attestation engagement undertaken under ASAE 3000. However, direct engagements also have unique features that are different from those of attestation engagements. For example, performance engagements undertaken in the public sector are ordinarily direct engagements, that have the following features: (Ref: Para 18(d)(f))

• The party responsible for the activity’s performance being reported on does not make a public assertion or statement on the activity’s performance as evaluated against the identified criteria.
• Pursuant to their legislative mandate, the assurance practitioner decides the:
  • activity’s performance to be evaluated; and
  • nature and scope of the activity’s performance to be reported on.
• The assurance practitioner identifies or develops the evaluation criteria against which the activity’s performance is assessed.
• The assurance practitioner then evaluates the activity’s performance (the subject matter) against the identified criteria and presents the outcome of the evaluation (the resulting subject matter information) as part of, or accompanying, the assurance report.

If the assurance practitioner initiates or accepts a limited assurance engagement to evaluate an activity’s performance, the assurance practitioner ensures:

1. the users understand the lower level of assurance which the assurance practitioner will obtain as a basis for their conclusion;
2. a limited assurance conclusion is likely to still meet the users’ needs; and
3. the assurance conclusion clearly communicates that the procedures performed vary in nature and timing from, and are lesser in extent than for, a reasonable assurance engagement and so the level of assurance obtained may be substantially lower than in a reasonable assurance engagement.

Elements of an activity’s performance that may be considered in a performance engagement include:

1. systems for planning, budgeting, authorisation, control and evaluation of resource allocation;
2. systems for ensuring compliance with relevant legislation, policies or procedures;
3. governance structures, including the assignment of responsibilities and accountability;
4. identification and management of risks;
5. reporting on resources used; and
6. reporting on outputs, outcomes and the achievement of objectives.

In the public sector, the conduct of performance engagements by AuditorsGeneral is legislated in the respective jurisdictions. While the legislative requirements may have either a narrow or broad scope, performance engagements may include examination of:

1. economy, efficiency, effectiveness and/or ethical aspects of:
   1. management systems or an entity’s management in order to contribute to improvements;
   2. the operations of an entity or an activity of an entity;
   3. the implementation of government policies or programs, and the application of government grants;
   4. financial prudence in the application of public resources; and
   5. administrative arrangements.
2. intended and unintended impacts of the implementation of government policies or programs and the extent to which community needs and stated objectives of an activity or entity have been met; or
3. probity processes and identification of weaknesses.

Performance Principle (Ref: Para 18(n))

The performance principle(s) to be addressed in evaluating an activity’s performance will vary depending on the terms of the engagement agreed or, for Auditors-General, the legislative mandate that applies in their jurisdiction. Performance engagements generally focus on one or more of the following performance principles (there may be others):

• Economy―The principle relating to the minimisation of the costs of resources, within the operational requirements of timeliness and availability of required quantity or quality.
• Effectiveness―The principle relating to the extent to which the intended objectives or outcomes of an activity are achieved.
• Efficiency―The principle relating to minimising the inputs employed to deliver outputs of an activity at the appropriate quality and quantity and when the outputs are needed.
• Ethics—The principle relating to the extent to which the proposed use of public resources is consistent with the core beliefs and values of society. Where a person behaves in an ethical manner it could be expected that a person in a similar situation would undertake a similar course of action. For the approval of proposed commitments of relevant money, an ethical use of resources involves managing conflicts of interests, and approving the commitment based on the facts without being influenced by personal bias. Ideally, ethical considerations are balanced with considerations of whether the use will also be efficient, effective and economical.^[29]
• Equity—The principle relating to fairness and impartiality in the use of public resources and/or the availability of public services.^[30] Equity is often treated as an element of ethics.
• Probity—The principle relating to evidence of ethical behaviour, and can be defined as complete and confirmed integrity, uprightness and honesty in a particular process.^[31] As there may be some overlap between probity and ethics, probity is often treated as an element of ethics.
• Sustainability—The principle relating to sustainable development strategies or management of sustainable development and environmental issues in meeting the needs of the present generation without compromising the ability of future generations meeting theirs.^[32]

(Ref: Para 22)

Relevant ethical requirements include the following fundamental principles with which the assurance practitioner is required to comply:

1. integrity;
2. objectivity, including independence;
3. professional competence and due care;
4. confidentiality; and
5. professional behaviour.

(Ref: Para 23-27)

Agreeing on or Communicating the Terms of the Performance Engagement (Ref: Para 24-25)

The terms of the performance engagement normally identify:

1. the engagement objective(s);
2. whether the engagement is a reasonable or limited assurance engagement;
3. the activity’s performance to be evaluated in the engagement;
4. the period to be covered by the engagement;
5. the performance principle(s) to be addressed in evaluating performance;
6. suitable criteria, in so far as the criteria have been identified, against which the activity’s performance will be evaluated;
7. the intended users of the assurance report;
8. the base elements of the assurance report; and
9. any other matters required by law or regulation to be included in the terms of engagement.

The terms of engagement may also seek the responsible party’s agreement that they acknowledge and understand their responsibility to provide the assurance practitioner with:

1. access to all information, such as records, documentation and other matters of which the responsible party is aware are relevant to the activity’s performance;
2. all additional information that the assurance practitioner may request from the responsible party for the purposes of the performance engagement; or
3. unrestricted access to persons engaged in the activity from whom the assurance practitioner determines it necessary to obtain evidence.

If there is no engaging party, such as for performance engagements initiated by an Auditor-General, the existence of a legislative mandate may obviate the need to agree on the terms of the performance engagement. Even in those circumstances it may be useful for the assurance practitioner to communicate the terms of engagement to the responsible party, including referral of any legislative requirements imposed on the responsible party to provide access to information or people relevant to the activity. (Ref: Para 9)

Preconditions for the Assurance Engagement (Ref: Para 26-27)

In the public sector, if a performance engagement is initiated by the assurance practitioner, some of the preconditions for the assurance engagement may be assumed to be present if they are set out in legislation, such as the roles and responsibilities of the responsible party and the right of access to information by the assurance practitioner. (Ref: Para 9)

When initiating or accepting a performance engagement, in order to satisfy themselves that those persons who are to perform the performance engagement collectively have the appropriate competence and capabilities, including having sufficient time to perform the engagement, the assurance practitioner may need to either assemble a multidisciplinary team or be a specialist in the relevant discipline.

When multidisciplinary teams are used in a performance engagement, adequate direction and supervision of engagement teams and review of their work are particularly important, so that the engagement team members’ different perspectives, experience and specialties are appropriately used. It is important that all engagement team members understand the objectives of the particular performance engagement and the terms of reference of work assigned to them. Adequate direction and supervision of engagement teams and review of their work are important so that the work of all engagement team members is executed properly and is in compliance with this ASAE and meets the quality management requirements of ASAE 3000.

Assessing the appropriateness of the activity’s performance to be evaluated as the subject matter (Ref: Para 26(a))

When assessing the appropriateness of the activity’s performance to be evaluated as the subject matter of the performance engagement, the assurance practitioner considers whether the:

• the activity is identifiable, and whether its performance can be consistently evaluated against identified criteria; and

• the activity’s performance can be subjected to procedures for gathering sufficient appropriate evidence to support a conclusion.

If after initiating or accepting the performance engagement, the assurance practitioner concludes that the activity’s performance is not an appropriate subject matter, the assurance practitioner assesses whether to:

• change the scope of the performance engagement or, if terms of the performance engagement have been agreed with the engaging party, seek to amend those terms; or

• withdraw from or discontinue the performance engagement.

In the event that the assurance practitioner is unable to change the scope or terms of, or withdraw from or discontinue, the performance engagement under paragraph A14 of this ASAE, the assurance practitioner considers the implications for the assurance report.

In a performance engagement initiated by the assurance practitioner, the identification of the subject matter and development of the engagement objective(s) and criteria is revised and refined as:

• more information on the subject matter is gathered; and

• the assurance practitioner better understands the needs of the intended users.

Assessing the Suitability of the Criteria (Ref: Para 26(b), 27)

Criteria are the measures used to evaluate the activity’s performance. Criteria which address each objective or subobjective are developed or identified in planning the performance engagement. In assessing the suitability of the criteria, the assurance practitioner considers whether the criteria are derived from sources such as:

1. regulatory bodies, legislation or policy statements;
2. industry standards, relevant benchmarks, and relevant practice guides developed by professional bodies, associations or other recognised authorities;
3. statistics, measures or practices developed by the responsible party or by similar entities; or
4. those developed by the assurance practitioner themselves, in which case the assurance practitioner documents why the identified criteria are suitable.

Regardless of the source, the assurance practitioner documents their assessment of the suitability of the identified criteria. The suitability of the criteria is determined within the context of the engagement circumstances, including the performance principle(s) to be addressed.

Criteria may range from general to specific. General criteria are broad statements of acceptable and reasonable performance. Specific criteria are derived from general criteria and are more closely related to an entity's governing legislation or mandate, objectives, programs, systems and controls.

Criteria are either established or specifically developed. Ordinarily, established criteria are suitable when they are relevant to the needs of the intended users. For some engagements criteria may have been developed to meet the needs of specific users. In this case, the assurance report may state, if it is relevant to the intended users:

• that the criteria are not embodied in laws or regulations, or issued by authorised or recognised bodies of experts that follow a transparent due process; and
• that the assurance report is only for the use of the intended users and for their purposes.

If, after initiating or accepting the performance engagement, the assurance practitioner concludes that the identified criteria are not suitable, the assurance practitioner may either:

• identify or develop suitable criteria;

• seek to change the terms of the performance engagement, if necessary, such as when the terms have been agreed with an engaging party; or

• withdraw from or discontinue the performance engagement.

In the event that the assurance practitioner is unable to change the terms of, or withdraw from or discontinue, the performance engagement, the assurance practitioner considers the implications for the assurance report.

(Ref: Para 30-40)

In the public sector, Auditors-General regularly receive topic suggestions for performance engagements from members of Parliament, executive government and the public. Auditors-General may also select topics that align with government policy objectives and reform agendas to assess progress and impacts. Auditors-General ordinarily adopt a strategic and risk-based approach to selecting performance engagement topics that are significant and auditable, and consistent with their legislative mandate. Once an Auditor-General has selected an engagement topic, the assurance practitioner plans the performance engagement.

Planning involves developing an overall strategy for the scope, emphasis, timing and conduct of the performance engagement. The performance engagement plan consists of a detailed approach for the nature, timing and extent of evidence-gathering procedures to be undertaken and the reasons for selecting them. Ordinarily, adequate planning:

• helps to devote appropriate attention to important areas of the activity’s performance, identify potential risk areas on a timely basis and properly organise and manage the performance engagement in order for it to be conducted in an effective and efficient manner;

• assists the assurance practitioner to properly assign work to performance engagement team members, and facilitates the direction and supervision of engagement team members and the review of their work; and 

• assists, where applicable, the coordination of work done by other assurance practitioners and experts. 

The nature and extent of planning activities will vary with the performance engagement circumstances, for example the size and complexity of the activity and the assurance practitioner’s previous experience with it. Examples of the main matters to be considered include:

• The terms of the performance engagement.

• The assurance practitioner’s understanding of the activity and other performance engagement circumstances.

• The characteristics of the activity and the identified criteria.

• The performance engagement process and possible sources of evidence.

• Identification of intended users and their needs, and consideration of significance in the context of the engagement.

• The assessment of risk.

• Personnel and expertise requirements, including the nature and extent of involvement by internal and external experts.

Planning is not a discrete phase, but rather a continual and iterative process throughout the performance engagement. As a result of unexpected events, changes in conditions, or the evidence obtained from the results of evidencegathering procedures, the assurance practitioner may need to revise the overall strategy and performance engagement plan and, as such, the resulting planned nature, timing and extent of further evidencegathering procedures.

Engagement Objective(s)^[33] (Ref: Para 18(g))

The objective of a performance engagement is often presented as a statement of purpose or question, which references the responsible party, the subject matter and the performance principle(s) to be addressed (for example, economy, efficiency, effectiveness and/or ethics). The assurance practitioner exercises professional judgement in determining the use of the most appropriate terminology throughout the performance engagement and especially in the assurance report.

The engagement objective is framed in a way that allows for an unambiguous conclusion to be reached as to whether the responsible party performed, or did not perform, the activity in accordance with the identified criteria.

In planning the performance engagement, if the scope of the engagement is based on an overall objective, then the assurance practitioner may identify more precise subobjectives/questions (or lines of enquiry) from which they can identify, select or develop the criteria against which the activity’s performance can be evaluated. Such subobjectives/questions are typically thematically related, complementary, not overlapping and collectively exhaustive in addressing the engagement objective.

Ideally, each engagement would have one overall objective that provides a clear focus for the engagement. However, for more complex engagements, the assurance practitioner may choose to develop several engagement objectives, which do not always need to be broken down into sub-objectives.

Significance^[34] (Ref Para 31-33)

For the purpose of this ASAE, significance may be viewed as the relative importance of a matter, within the context in which it is being considered, that could potentially influence the decisions of the intended users of the assurance report.

For the purpose of this ASAE, the term ‘significance’ is used instead of the ASAE 3000 term ‘materiality’. The concept of significance is considered more useful in the context of a performance engagement. It can be applied more flexibly at different stages of the engagement and is considered more helpful in ensuring that the assurance practitioner selects the right activities, criteria and findings to report, and provide assurance reports that are relevant and useful for the intended users. Significance may also be more meaningful to the lay person reading the assurance report, especially when communicated in terms of the causes and consequences of a finding (that is, the size and severity of the impact or potential impact of the finding).

Consideration of significance is a matter of professional judgement and depends on the assurance practitioner’s perception of the intended users’ needs and interests. Since the subject matter of performance engagements can vary broadly, that perspective may vary from one engagement to another.

In judging the relative importance of a matter, the assurance practitioner considers the:

• nature of the impact(s), which may relate to monetary value or the impact on the environment, society, politics, culture and the economy;
• size and severity of the impact or potential impact if it can be quantified; and
• likelihood of an impact occurring, which may be expressed using general terms (likely, very likely) or more precisely (for example, the probability of something occurring).

The inherent characteristics of an item may render a matter significant by its very nature. A matter may also be significant because of the context in which it occurs. Relevant considerations may include economic, environmental, political, cultural and other societal challenges at local, regional and global levels related to the activity’s performance examined, as well as compliance with laws and regulations.

Impacts may include negative and positive impacts, could be intended or unintended and may impact the short-term or long-term. The assurance practitioner also takes into account that impacts may change over time as activities and context evolve.

What is considered significant will depend on the perspective of the intended users, which may vary over time. In identifying individuals and groups whose interests are or could be affected by the assurance report, the assurance practitioner also takes into account that intended users may include individuals or groups who may not be able to articulate their views (for example, future generations) but whose interests are affected or could be affected. For the same engagement, the intended users may also be different for each of the identified criteria.

It may not always be possible for the assurance practitioner to identify all those who will read the assurance report, particularly where the assurance report is publicly available. In such cases, particularly when potential users are likely to have a broad range of interests in the assurance report, intended users may be limited to major stakeholders with significant and common interests. In the public sector, Parliament and the responsible party is likely to be the primary users of assurance reports on performance prepared by Auditors-General. Other major stakeholders may include, government, regulators, lobby groups and representative organisations.

When communicating significant variations in assurance reports, it may not always be reasonable for the assurance practitioner to assume that all of the intended users, such as members of Parliament or the general public:

1. have a reasonable knowledge of the activity or a willingness to study the assurance report with reasonable diligence;
2. understand that the assurance practitioner has applied the concept of significance in evaluating and obtaining assurance regarding the activity’s performance, and have an understanding of any significance concepts included in the identified criteria; and
3. understand any inherent uncertainties involved in evaluating the activity’s performance.

Unless the performance engagement has been designed to meet the particular information needs of specific users, the possible effect of variations in performance on specific users whose information needs may vary widely, is not ordinarily considered.

Professional judgements about significance are made in light of surrounding circumstances but are not affected by the level of assurance. That is, for the same intended users and purpose, the assurance practitioner applies the same considerations in both limited assurance and reasonable assurance engagements when considering the significance of matters.

Due to the importance of using professional judgement in considering the significance of matters and concluding on significant findings, the assurance practitioner’s documentation should be sufficiently complete and detailed, and include the rationale in support of any judgements made and conclusions reached.

Consideration of significance when selecting activities to examine

Effective performance engagements may have considerable impact. Assurance reports on performance provide new information, analysis or insights and, where appropriate, recommendations for improvement. In the public sector, this information may play a role in improving public sector performance and supporting accountability and transparency.

A significant activity is one that the assurance practitioner judges:

1. to be important to the intended users of an assurance report on the activity’s performance; and

2. for which new insights or more accessible information may influence the decisions made by those users.

The process to evaluate and select activities for examination, may include the following steps:

1. identify actual and potential impacts of the activity and the engagement; 

2. assess the significance of the impacts applying suitable criteria; and

3. prioritise the impacts based on their significance.

To understand the significance of an activity, the assurance practitioner may perform quantitative and qualitative analysis. The practitioner may also need to consult with relevant internal or external experts and relevant stakeholders.

The assurance practitioner may assess the significance of, and risks associated with, public sector activities and prioritise engagements by considering factors such as:

• Economic and financial magnitude—the economic contribution or impact of the activity may be significant.

• Social, public safety, political and/or environmental impact—activities affecting a large segment of the population or vulnerable sections of a population, or which may impact environmental sustainability, may be judged to be more significant.

• Visibility—the extent of interest shown in an activity or aspects of an activity by, for example, the legislature, regulatory bodies or the public, may indicate the importance of the activity to users. For example, a large number of complaints relating to the activity.

• Nature, size and complexity of the activity—an increase in the complexity of an entity’s activities, for example, increased variety and type of operations, functions and programmes may increase the risk that the entity does not achieve its objectives and goals or that they are not achieved in an efficient or economical manner.

• Likely impact of the performance engagement (added value expected from the engagement)—engagements that offer more opportunities to have an impact, may be prioritised.   

• Impact of the activity or failure of an activity on other areas within government, including in the areas of compliance, governance, transparency and accountability.

Significance in planning and performing the engagement

Given limited resources and time, a performance engagement cannot focus equally on all aspects of a significant activity’s performance during the engagement. Understanding what aspects of the activity’s performance may be significant to the intended users may assist the assurance practitioner in focusing their efforts and in applying professional judgement when considering the significance of any identified variations in performance.

Scoping the proposed engagement to focus on significant aspects of the activity’s performance, that is, the areas which will potentially add the most value, will support the development of an engagement objective(s).

For a performance engagement to be efficient and effective, which in this context means concluding against the engagement objective(s) and satisfying the needs of the intended users, it is important that the assurance practitioner assess and prioritise the most appropriate questions (lines of enquiry) and criteria to examine. For example, they may assess the risk of significant variations as either high, medium or low for each potential question/criteria. This assessment will require a good understanding of the activity and the information needs of the intended users of the assurance report.

In some instances, there may be no tolerance for variations in relation to significant criteria.

In conducting the performance engagement, the assurance practitioner considers the significance of the information that is being collected and the potential results of the analysis undertaken. The practitioner applies professional judgement to ensure that work is focused on significant aspects of the activity’s performance being examined.

Significance in formulating and reporting findings, conclusions and recommendations

During the reporting phase of the engagement, the assurance practitioner uses professional judgement to decide which findings are of such significance to include in the assurance report. While all identified variations may be reported to the responsible party, the assurance report should only include significant findings, that is, those that have a bearing on the conclusion and the reader’s use of the report.

An identified variation in the activity’s performance against the identified criteria may be considered significant when, in the assurance practitioner’s judgement, information about the variation could reasonably be expected to influence decisions made by intended users of the assurance report. What is relevant to report users is the consequence(s) of a finding (that is, the size and severity of the impact or potential impact of the finding) and cause (why it happened).

Individual variations in performance identified during the engagement (other than those that are clearly trivial) may have characteristics, for example, a root cause or a systemic issue, that indicate the combined effect of individual variations is likely to be significant.

The assurance practitioner may take the following factors into account when determining whether a variation constitutes a significant variation from the identified criteria:

• The number of persons or entities impacted. 

• The economic, social, political and environmental impact of an activity. Where there is broader societal interest in an activity or where the activity could present a significant risk to the public, for example, where the health or safety of the general public or vulnerable groups is affected, the tolerance for variations in performance may be less. 

• Whether a variation is the result of an intentional act or is unintentional.

• Whether a variation affects compliance with law or regulation.

• Whether a variation relates to transparency or accountability.

• If the likely cost of correcting an issue is greater than the benefit to be derived, significance may be questionable.

• Minor variations from several criteria may signal minor problems or may be indicative of a problem (or theme) of greater significance that may need to be reported as a significant variation.

• The nature of a variation, for example, the nature of observed variations from a control relevant to the activity’s performance.

• Whether a variation is significant having regard to the assurance practitioner’s understanding of known previous communications to users, for example, in relation to the expected outcome of the evaluation of the activity’s performance.

• Whether a variation relates to the relationship between the responsible party and the engaging party, or their relationship with other parties.

• When a threshold or benchmark value has been identified, whether the result of the procedure deviates from that value.

• When the activity is a governmental program or public sector entity, whether a particular finding is significant with regard to the nature, visibility and sensitivity of the program or entity.

Risk Procedures and Related Activities (Ref: Para 18(s), 34-40)

Understanding the Activity and Other Performance Engagement Circumstances (Ref: Para 34)   

Obtaining an understanding of the activity and other performance engagement circumstances is an essential part of planning and conducting the performance engagement. It provides the assurance practitioner with a frame of reference for exercising professional judgement throughout the engagement. For example, when:

• Defining a rational engagement objective and suitable evaluation criteria.
• Determining whether evidence needed to support the practitioner’s conclusion is available.
• Understanding the implications of applicable laws and regulations on the activity’s performance.
• Considering the factors that, in the assurance practitioner’s professional judgement, are important in directing the engagement team’s efforts, including where special consideration may be necessary (for example, the need for specialised skills or the work of an expert).
• Establishing and evaluating the continued appropriateness of quantitative and qualitative factors that may impact the assurance practitioner’s consideration of significance.
• Developing expectations to be applied when undertaking analytical procedures.
• Using data analysis tools to undertake the engagement.
• Requesting evidence that is relevant to the engagement objective(s) and identified criteria.
• Evaluating evidence, including the reasonableness of the responsible party’s oral and written representations.
• Designing and undertaking further evidence-gathering procedures to reduce the risk of an incorrect conclusion to an acceptable low level.
• Reporting the findings, conclusions and recommendations in an assurance report.

The assurance practitioner ordinarily has a lesser depth of understanding of the activity and other engagement circumstances than the responsible party. The assurance practitioner also ordinarily has a lesser depth of understanding of the activity and other engagement circumstances for a limited assurance engagement than for a reasonable assurance engagement. This will have the following implications:

1. For a limited assurance engagement, the assurance practitioner obtains an understanding of the activity sufficiently to identify areas where a significant variation in the activity’s performance is most likely to arise.  In a reasonable assurance engagement, a more in-depth understanding is required to both identify and assess the risks of significant variation. The assurance practitioner will use professional judgement to determine whether enough has been done to obtain and document the necessary understanding given the level of assurance.

2. Although in some limited assurance engagements the practitioner may identify or obtain an understanding of internal controls relevant to the activity’s performance, this is often not the case.

Enquiries and Discussion with Appropriate Parties (Ref: Para 35(a))

Although the assurance practitioner is not required to perform any further procedures regarding an entity’s compliance with laws and regulations in addition to that specified in paragraph 35(a) of this ASAE, the practitioner shall remain alert to the possibility that procedures performed during the engagement may bring instances of non-compliance or suspected non-compliance with laws and regulations to the practitioner’s attention. The assurance practitioner may have additional responsibilities under law, regulation or relevant ethical requirements regarding an entity’s non-compliance with laws and regulations.^[35]

Designing and Performing Risk Procedures (Ref: Para 36-40)

The engagement circumstances affect the degree to which each of the components of engagement risk is relevant to the engagement, in particular:

• The nature of the activity reported on. For example, the concept of control risk may be more relevant for engagement objectives related to the effectiveness/efficiency of a system or process (for example to monitor and report on performance), than for objectives related to the outcome of a program or process or the existence of a physical condition.

• Whether a reasonable assurance or a limited assurance engagement is being performed. For example, in limited assurance engagements the assurance practitioner may often decide to obtain evidence by means other than testing of controls, in which case consideration of control risk may be less relevant than in a reasonable assurance engagement to report on the same activity’s performance.

Risk procedures are part of an iterative and dynamic process. Initial expectations may be developed about areas where significant variations are likely to arise (in a limited assurance engagement) or risks of significant variation (in a reasonable assurance engagement), which may be further refined as the assurance practitioner progresses through the engagement, or if new information is obtained. Risk procedures by themselves do not provide sufficient appropriate evidence on which to base the assurance conclusion.

The assurance practitioner may perform further procedures (see ‘Designing and Performing Further Procedures’ below) concurrently with risk procedures when it is efficient to do so.

The nature and extent of risk procedures will vary based on the nature and circumstances of the entity (for example, the formality of the entity’s policies or procedures, processes and systems), the nature and complexity of the activity, the identified criteria, and the characteristics of the events or conditions that could give rise to significant variations. The practitioner uses professional judgement to determine the nature and extent of the risk procedures to be performed to meet the objectives of this ASAE to the level of assurance to be obtained.

Risk procedures may include the following:

1. Enquiries of parties as appropriate to the scope of the performance engagement and other engagement circumstances;

2. Analytical procedures; 

3. Observation; and

4. Inspection.

L. In a limited assurance engagement, identifying the areas where a significant variation in the activity’s performance is likely to arise enables the assurance practitioner to focus procedures on those areas. Risk procedures for a limited assurance engagement would ordinarily be limited to enquiries of appropriate parties, analytical procedures and necessary documentation review. However, there may be circumstances where the assurance practitioner may consider it effective or efficient to design and perform other procedures.

L. In rare circumstances, the assurance practitioner’s risk procedures may not identify any areas where a significant variation is likely to arise. Irrespective of whether any such areas have been identified, the practitioner is required to design and perform procedures to obtain a meaningful level of assurance^[36]. In such cases, the practitioner may perform additional risk procedures or design and perform further procedures in relation to significant areas of the engagement.

Based on the risk procedures performed, the assurance practitioner will be able to make an informed decision about whether the identified criteria are best addressed using a limited or reasonable assurance approach. For example, where risk procedures identify significant levels of engagement risk, a limited assurance engagement may not be suitable because:

• a limited level of assurance may not be meaningful to the users of the assurance report; or

• there may no longer be an efficiency advantage for the assurance practitioner in performing a limited assurance engagement because the assurance practitioner may have to perform considerable additional work under paragraph 43 of this ASAE where the practitioner believes that there may be a significant variation in the activity’s performance.  In these circumstances the assurance practitioner may consider whether a reasonable assurance engagement will be more effective.  This change in approach would be communicated through the engagement strategy.

Understanding Internal Controls Relevant to the Performance Engagement (Ref: Para 37-39)

Internal controls are processes designed, implemented and maintained by those charged with governance, management and other personnel to mitigate the risks which may prevent achievement of objectives relating to an entity and its operations, compliance or reporting.

The assurance practitioner’s understanding of the entity’s system of internal control provides a preliminary understanding of how the entity identifies business risks and how it responds to them. It may also influence the practitioner’s identification and assessment of the risks of significant variation. This assists the practitioner in designing and performing further procedures, including any plans to test the operating effectiveness of controls.

In the context of a performance engagement, a relevant internal control is one designed to address (mitigate) the risks of significant variation in the activity’s performance. A relevant internal control may include components of the control environment, the entity’s risk assessment process, the entity’s process for monitoring its system of internal control, the information system and communication, and specific control activities designed to mitigate specific risks. Professional judgment is needed to determine which controls are relevant in the engagement circumstances.

Internal controls relevant to an activity’s performance may include controls that pervasively impact an entity’s operations (indirect entity-level controls). Whether such controls are relevant, will likely depend on the engagement objective(s). For example, when the objective of an engagement is the effectiveness of the administration of grants for a public sector entity, internal control over human resources management may not be relevant to the performance engagement. If the assurance practitioner’s intention is to rely on the entity’s grants payment system, internal control related to the entity’s information system and information technology may be relevant to such an engagement.

In other situations, internal controls relevant to the engagement may be direct controls designed to mitigate the risks of significant variations from the identified criteria, such as authorisations and approvals, reconciliations, verifications (such as edit and validation checks or automated calculations), segregation of duties, and physical or logical controls, including those addressing safeguarding of assets. For example, a control to ensure contract variations are approved by an appropriate delegate may be relevant when conducting a performance engagement to examine whether procurements of office furniture have been consistent with a government’s procurement rules and are achieving value for money.

When the objective of a performance engagement is to conclude on a specific outcome of a program or process, examination of internal control at either the entity wide level or activity level may not be relevant to that engagement. For example, an assurance engagement may be designed to reach a conclusion regarding whether the time taken to process specific items (for example, applications to receive a service) over a specified period of time exceeds what is permitted under stated policies. The practitioner might simply examine all the items processed during the specified period and conclude on whether there were significant variations from the stated policies.

When the objective of a performance engagement requires the design or implementation of internal controls over a process to be assessed (for example, a process for dealing with patients in a hospital emergency room), the assurance practitioner’s expectations for the effective design and implementation of the internal controls is likely to be a criterion.

When internal controls are judged to be relevant to a performance engagement, the assurance practitioner’s understanding of controls includes identifying controls designed to mitigate the risk of significant variations identified as part of the assurance practitioner’s risk assessment. The aim is to identify controls that, if ineffective, will create a higher risk of significant variation.

The assurance practitioner may plan to obtain evidence by testing the operating effectiveness of identified controls, for example, where such an approach is considered to be more effective or efficient for large volumes of homogenous transactions. The assurance practitioner may also identify risks of significant variation for which it is not possible to obtain sufficient appropriate evidence through substantive procedures alone.

The practitioner is not required to evaluate the design of controls and to determine whether they have been implemented unless the practitioner plans to obtain evidence by testing their operating effectiveness.

A77R. Risk procedures to obtain an understanding about control design and implementation for a reasonable assurance engagement may include:

Enquiring with the responsible party’s personnel;

Observing the application of specific controls;

Inspecting documents and reports; and

Performing walk-throughs.

Enquiry alone is not sufficient for such purposes.

A78L. In a limited assurance engagement it will often not be necessary to obtain a detailed understanding of internal controls and the procedures to obtain the understanding may be less in extent, and of a different nature, than those required in a reasonable assurance engagement. For example, in a limited assurance engagement, the assurance practitioner may obtain a sufficient understanding through enquiry but may need to perform a walk-through in a reasonable assurance engagement.

Evaluating the design of a control involves the assurance practitioner’s consideration of whether the control, individually or in combination with other controls, is capable of effectively preventing, or detecting and correcting, significant variations.

The assurance practitioner determines the implementation of an identified control by establishing that the control exists and that the entity is using it. There is little point in the practitioner assessing the implementation of a control that is not designed effectively. To determine if the controls have been implemented, the practitioner may perform walk-throughs or observe the control being performed by, for example, the responsible party’s personnel. The assurance practitioner often evaluates control design and implementation at the same time.

The practitioner may conclude that a control is effectively designed and implemented. It is then appropriate to design and perform further procedures to test its operating effectiveness in order to determine the nature, timing and extent of other assurance procedures. However, when a control is not designed or implemented effectively, there may be no benefit in testing it.

Evaluating the design and determining the implementation of controls is not sufficient to test their operating effectiveness.

Sufficiency is the measure of the quantity of evidence. Appropriateness is the measure of the quality of evidence; that is, its relevance and its reliability. The assurance practitioner ordinarily considers the relationship between the cost of obtaining evidence and the usefulness of the information obtained. However, the matter of difficulty or expense involved is not in itself a valid basis for omitting an evidencegathering procedure for which there is no alternative. The assurance practitioner uses professional judgement and exercises professional scepticism in evaluating the quantity and quality of evidence, and thus its sufficiency and appropriateness, to support the conclusions in the assurance report.

Performance engagements require the application of assurance skills and techniques and the gathering of sufficient appropriate evidence as part of an iterative, systematic assurance engagement process. For further guidance on the nature, timing and extent of evidencegathering procedures for performance engagements, refer to ASAE 3000.

A85L. The evidence required in a limited assurance engagement would ordinarily be limited to that obtained by enquiry, analytical procedures and necessary documentation review. In contrast to a reasonable assurance engagement, the assurance practitioner in a limited assurance engagement would not ordinarily seek to corroborate evidence obtained, as long as the information obtained from applying assurance procedures appears plausible in the circumstances, as judged by the practitioner. In circumstances where the practitioner is not satisfied of the plausibility of the initial evidence collected, it may be necessary to seek corroboration of evidence or to conduct more detailed procedures.

A86L. In considering the plausibility of evidence obtained, the assurance practitioner may consider, for example, whether the evidence:

is consistent with the practitioner’s knowledge and understanding of the entity and activity subject to the engagement, and other evidence obtained during the course of conducting the engagement; and

reasonably demonstrates that the criteria of the engagement have been met or not met.

A87L. While enquiry is a key procedure in the conduct of a limited assurance engagement, the assurance practitioner is still required to exercise professional scepticism. This means that the documentation of enquiries cannot simply restate the matters discussed but rather should demonstrate the basis on which the assurance practitioner has considered and accepted the evidence as plausible in the circumstances.

Under ASAE 3000 it may not be appropriate for a reasonable assurance engagement that has commenced to be reduced to limited assurance, without reasonable justification. ASAE 3000 notes an inability to obtain sufficient appropriate evidence to support a reasonable assurance conclusion, is not an acceptable reason to change from a reasonable assurance engagement to a limited assurance engagement. In these circumstances the assurance practitioner may consider withdrawing from the engagement or issue a modified conclusion.

A89L. If, in the case of a limited assurance engagement, the assurance practitioner becomes aware of a matter that leads the assurance practitioner to believe that there may be a significant variation in the activity’s performance, the practitioner is required by paragraph 43L of this ASAE to design and perform modified and/or additional procedures to obtain further evidence, until the practitioner is able to form a conclusion that either:

the matter is not likely to result in a significant variation in the activity’s performance; or

a significant variation in the activity’s performance exists.

A90L. The modified/additional procedures may include additional enquiry and/or more detailed analytical procedures. The assurance practitioner may also deem it necessary to apply procedures normally used in undertaking a reasonable assurance engagement, which may necessitate detailed transactional or data testing. The fact that the assurance practitioner performs modified/additional procedures does not alter the assurance practitioner’s objective of obtaining limited assurance in relation to the activity’s performance.

A91L. If, after having performed the modified/additional procedures the assurance practitioner is unable to achieve either of the outcomes in paragraph 43L, a scope limitation exists and the practitioner will issue, as appropriate, a qualified conclusion, disclaim a conclusion, or withdraw from the engagement, where withdrawal is possible under applicable law or regulation.

If the performance engagement is initiated by the assurance practitioner, the assurance practitioner may not be in a position to obtain representations from the responsible party, particularly as the responsible party may not be a party to the performance engagement.

Representations by the responsible party cannot replace other evidence the assurance practitioner could reasonably expect to be available. An inability to obtain sufficient appropriate evidence regarding a matter that has, or may have, a significant effect on the evaluation of the activity’s performance, when such evidence would ordinarily be available, constitutes a limitation on the scope of the performance engagement, even if a representation from the responsible party has been received on the activity.

Written representations may include that the responsible party:

acknowledges its responsibility for conducting the activity, intended to achieve a certain level of performance;

has provided the assurance practitioner with all relevant information and access agreed to, as set out in paragraph A8;

has disclosed to the assurance practitioner any of the following of which it is aware may be relevant to the performance engagement:

variations in achievement of intended performance; or

any events subsequent to the period covered by the assurance practitioner’s report up to the date of the assurance report that could have a significant effect on the assurance practitioner’s report.

The assurance practitioner considers the impact of identified variations to assess the overall significance of the findings against the identified criteria, in order to form a conclusion about whether the engagement objective(s) have been achieved. An identified variation in an activity’s performance against the identified criteria may be considered significant when, in the assurance practitioner’s judgement, information about the variation could reasonably be expected to influence decisions made by intended users of the assurance report. What is relevant to report users is the consequences of a finding (that is, the size and severity of the impact or potential impact of the finding) and cause (why it happened).

For further guidance on factors the assurance practitioner may take into account when evaluating the significance of findings, refer to A31-A41, A52-A55.

The extent of consideration of subsequent events that come to the attention of the assurance practitioner depends on the potential for such events to affect the activity’s performance and to affect the appropriateness of the assurance practitioner’s conclusions. Consideration of subsequent events in some performance engagements may not be relevant because of the nature of the activity.

The assurance practitioner does not have any responsibility to perform procedures or make any enquiry after the date of the report. However, if after the date of the report the assurance practitioner becomes aware of a matter identified, the assurance practitioner may consider reissuing the report. In a performance engagement the new report discusses the reason for the new report under a heading “Subsequent Events”.

The assurance practitioner’s conclusion directly addresses the question of whether or not the engagement objective has been met and, if not, is specific about the findings that resulted in exceptions to the conclusion, including the causes and consequences. The conclusion presents the assurance practitioner’s overall view and goes beyond merely restating or summarising the findings. Whereas findings are identified by comparing ‘what should be’, in accordance with the evaluation criteria identified for the engagement (the required or desired performance), with evidence on ‘what is’ (the actual performance), the assurance practitioner’s conclusion reflects the practitioner’s explanations and views based on these findings. The assurance practitioner’s conclusion clarifies and add meaning to the specific findings in the report. (Ref: Appendix 2)

In forming the conclusion, the assurance practitioner evaluates the sufficiency and appropriateness of the evidence obtained. The practitioner also assesses the significance of the findings in relation to the engagement objective(s). Evaluating whether sufficient appropriate evidence has been obtained, and whether more needs to be done to achieve the objectives of this ASAE, requires professional judgement.

A100L. The level of assurance in a limited assurance engagement is not easily quantified. Professional judgement is required in evaluating whether a meaningful level of assurance has been obtained. What is meaningful may vary from just above more than inconsequential to just below reasonable assurance. What is meaningful in a particular engagement represents a judgement within that range that depends on the engagement circumstances, including the information needs of the intended users, the identified criteria, and the nature of the subject matter. Because the level of assurance obtained in limited assurance engagements varies, it is important that the assurance report includes an informative summary of the procedures performed, recognising that an appreciation of the nature, timing, and extent of procedures performed is essential to understanding the assurance practitioner’s conclusion. (Ref: Para 18(l), 55(i))

The assurance report is the means by which the assurance practitioner communicates the outcome of the direct engagement, which includes the assurance practitioner’s conclusion, findings and recommendations (if any), to the intended users. Clear communication helps the intended users to understand the assurance conclusion.

The assurance practitioner considers which report structure will be most effective to communicate the outcome of the performance engagement. To effectively add value and maximise impact, it is important that the assurance report is comprehensive, convincing, timely, reader friendly and balanced:

Comprehensive

The assurance report does not have to contain all the information collected and analysed during the engagement to be comprehensive. However, the report includes all the information and arguments the assurance practitioner judges are necessary to address the engagement objective(s), while being sufficiently detailed to help the reader understand the significance of the conclusion and findings discussed in the report.

Convincing

To be convincing, the assurance report is structured in a logical manner to present a clear relationship between the engagement objective(s), identified criteria, findings, conclusion(s) and recommendations (if any). The assurance practitioner aims to present the findings accurately, addressing all relevant arguments to the discussion. Accuracy assures readers that what is reported is credible and reliable.

Timely

To be of maximum use, the assurance report is issued in time to respond to the needs of the intended users. If permitted, the assurance practitioner may provide interim reports of significant matters to responsible parties to highlight matters that may need immediate attention.

Reader friendly

The assurance report is likely to have a greater impact when it is reader friendly. It is therefore important that the assurance report is clear, concise, logical and focused on the engagement objective(s). The assurance practitioner considers using simple and unambiguous language to the extent permitted by the subject matter. Busy readers may not read reports from beginning to end and may instead focus on a contents page, headings and subheadings, an executive summary, conclusions, significant findings and recommendations (if any). The practitioner may consider using typographical devices (for example, the bolding of text) and other mechanisms (for example, illustrations, figures and tables) to improve clarity and which may assist in better communicating key messages. Where the report includes technical terms and concepts, it may be helpful to the reader if explanations are provided in a glossary or footnotes.

Balanced

A balanced report is impartial in content and tone, presents different perspectives and viewpoints, and includes both positive and negative aspects of the performance being evaluated. Evidence is presented and interpreted in an unbiased manner. By explaining the causes and the consequences of reported findings, users may better understand their significance. This may encourage corrective action and lead to improvements in performance.

There may be circumstances where an AuditorGeneral, having conducted a performance engagement, decides not to report to Parliament or to publish an assurance report. The AuditorGeneral usually has discretion under their mandate to choose whether and to whom they will report on performance engagements. Assurance reports which are tabled in Parliament become available to the public. In certain circumstances it may be necessary for the confidentiality of the assurance report to be maintained, in which case the report may, in accordance with relevant legislation be provided to the relevant Parliamentary Committee or other appropriate user, in confidence. The AuditorGeneral considers the public interest in determining whether the assurance report will be made publicly available.

This ASAE does not require a standardised format for reporting on performance engagements. Instead, it identifies the basic elements the assurance report is to include, whether in an executive summary, the main body of the report or in an appendix to the report. The format of the assurance report may differ depending on whether the assurance practitioner is an AuditorGeneral reporting to Parliament pursuant to their legislative mandate, or a practitioner engaged to perform a performance engagement in the private sector.

Assurance reports are tailored to the specific performance engagement circumstances and needs of intended users. The assurance practitioner uses professional judgement in deciding how best to meet the reporting requirements detailed in paragraph 55 in reporting conclusion(s), findings and recommendations (if any). The assurance practitioner includes the matters in paragraph 55 as a minimum and reports in the manner and to the extent necessary to facilitate effective communication to the intended users.

To maximise impact, the assurance practitioner may consider including an executive summary in the assurance report which may include, for example:

the scope of the engagement;

the engagement objective(s);

the evaluation criteria;

the assurance practitioner’s overall conclusion(s) against the engagement objective(s);

key findings; and

recommendations (if any);

The purpose of the main body of the assurance report is to substantiate the key findings of the engagement that support the assurance practitioner’s conclusion(s) and recommendations (if any). The engagement findings have to be put into context, and congruence has to be established between the engagement objective(s), conclusions and findings.

For reasons of transparency and accountability, the assurance practitioner may expand the assurance report to include other information and explanations, in addition to the basic elements identified in paragraph 55, including:

The terms of the engagement.

Relevant background information and historical context.

In addition to the overall objective(s), also identify sub-objectives/questions (or lines of enquiry).

In addition to the overall criteria, also identify sub-criteria.

The assurance approach/methodology.

Assurance-specific methods of data-collection and analysis applied.

Sources of data.

Factors relevant to the practitioner’s consideration of significance.

Analysis of the causes of variations in the activity’s performance.

Comments received in response to the report from the responsible party.

The decision to include information in addition to the basic elements identified in paragraph 55 depends on its significance to the needs of the intended users. To effectively communicate the conclusion and key findings, and not detract from key messages in the assurance report, the assurance practitioner may consider including such information in appendices to the assurance report.

Depending on the circumstances, the assurance practitioner may consider alternative structures to be more appropriate, for example, chronological or entity by entity.

As the intended users’ confidence in the findings and conclusions depends largely on the criteria used to evaluate the activity’s performance, it is essential that the assurance report identify the criteria used to evaluate performance, as well as their sources. This will include specifying the party responsible for those criteria, if it was not the assurance practitioner.

While the format and style of assurance reports may vary, effective reporting of findings will normally contain the following elements as a minimum:

identification of the evaluation criteria (the required or desired performance);

evidence (the actual performance, both positive and negative);

causes (identify the root cause of problems or observations); and

consequences, that is, why the reader should care about the finding (that is, the size and severity of the impact or potential impact of the finding).

Including an explanation of the causes and consequences of a finding will allow users to better understand the significance of findings (and any related recommendations) and may encourage corrective action to be taken, which may lead to improvements in performance.

The assurance conclusion is not a summary of findings but rather expresses a clear conclusion against the engagement objective based on the findings. The conclusion directly addresses the question of whether or not the objective of the engagement has been met and, if not, should ideally be specific about the findings that resulted in exceptions to the conclusion. The conclusion is written in a manner that is likely to enhance the degree of confidence of the intended users about the evaluation of the activity’s performance against the identified criteria. The user may benefit from seeing a summary of the key findings which support the conclusion in close proximity to the overall conclusion.

The level of assurance obtained/provided by the assurance practitioner should be clear from the report. A performance engagement may have more than one overall engagement objective and the assurance practitioner may need to express a conclusion against each objective. There may also be circumstances where a performance engagement may have several overall engagement objectives with a conclusion for each expressing a different level of assurance. Each conclusion would need to be expressed either in the form appropriate for a reasonable assurance engagement (expressed in positive form) or limited assurance engagement (expressed in negative form). (Ref: Para 55(d))

When the assurance practitioner was unable to obtain sufficient appropriate evidence (a scope limitation exists), the assurance practitioner’s conclusion clearly reflects that either:

the practitioner was unable to conclude against certain identified criteria, or certain engagement objectives or sub-objectives — when the assurance practitioner was unable to obtain sufficient appropriate evidence regarding certain aspects of the responsible party’s performance of the activity (a qualified “except for” conclusion); or (Ref: Para 55(g)(ii)a)

the practitioner was unable to conclude on the activity’s performance overall — when the assurance practitioner was unable to obtain sufficient appropriate evidence regarding the responsible party’s performance of the activity as a whole (a disclaimer of conclusion). (Ref: Para 55(g)(ii)b)

When the assurance practitioner has identified significant variations in the activity’s performance, the assurance practitioner’s conclusion clearly reflects that either:

the responsible party did not perform the activity in accordance with the identified criteria, or certain engagement objectives or subobjectives (a qualified “except for” conclusion); or (Ref: Para 55(h)(ii)a)

the responsible party did not perform the activity in accordance with the identified criteria, or the engagement objective(s), as a whole (an adverse conclusion). (Ref: Para 55(h)(ii)b)

A118L. The conclusion for a limited assurance engagement is expressed in negative form, that is, “… based on the procedures performed and evidence obtained, nothing has come to our/my attention …”. When the assurance practitioner has identified significant variations from the identified criteria, the practitioner issues a modified conclusion in line with paragraph 55(h) (adverse or qualified conclusion) — for example, “… based on the procedures performed and evidence obtained, nothing has come to our/my attention …, except for …” (qualified conclusion). To help users recognise and understand a limited assurance report, there are specific reporting requirements related to the summary of work performed and the conclusion, as outlined in paragraph 55.

Depending on the legislative mandate that applies in each jurisdiction, Auditors-General may be required to either:

conduct public sector performance engagements in accordance with ASAE 3500;

have regard to ASAE 3500; or

set their own audit and assurance standards which may incorporate ASAE 3500.

Where the assurance report includes a statement that the performance engagement has been conducted in accordance with ASAE 3500, it implies the practitioner has complied with all the requirements of this ASAE that are relevant to the engagement.

A120L. The summary of the work performed helps the intended users understand the assurance practitioner’s conclusion. In a limited assurance engagement, the summary of the work performed may be more detailed than for a reasonable assurance engagement. This is because an appreciation of the nature, timing and extent of procedures performed is essential to understanding a conclusion expressed in a form that conveys whether, based on the procedures performed and evidence obtained, a significant matter(s) has come to the practitioner’s attention to cause the practitioner to believe that the responsible party did not perform the activity in accordance with the identified criteria. It may be appropriate to indicate in the summary of the work performed certain procedures that were not performed, that would ordinarily be expected to be performed in a reasonable assurance engagement.

A constructive recommendation is one that is relevant, practical, measurable, attainable, and likely to contribute significantly to addressing the issues identified by the engagement. Recommendations would ordinarily follow logically from the facts and arguments presented in the assurance report. For Auditors-General, the making of recommendations would be dependent upon their legislative mandates. If no recommendations are relevant, or if only key recommendations are included in the assurance report, the report includes a statement to explain this.

Documentation includes a record of the assurance practitioner’s reasoning on all significant matters that require the exercise of professional judgement, and related conclusions. The existence of difficult questions of principle or judgement, calls for the documentation to include the relevant facts that were known by the assurance practitioner at the time the conclusion was reached.

In applying professional judgement to assessing the extent of documentation to be prepared and retained, the assurance practitioner may consider what is necessary to provide an understanding of the work undertaken, and the basis of the principal decisions made, to another experienced assurance practitioner who has no previous connection with the performance engagement. It is neither necessary nor practicable to document every matter the assurance practitioner considers during the performance engagement.

Appendix 1

(Ref: Para 7)

Appendix 2

(Ref: Para 7, A98)

The following example demonstrates the alignment between the engagement objective, evaluation criteria, findings and conclusion in a performance engagement. The example has been simplified to show this alignment.

Appendix 3

(Ref: Para 9)

The diagram below illustrates the relationships in a performance engagement conducted by an AuditorGeneral.

ParliamentProvides the mandate and resources to the Auditor-GeneralAssurance practitioner (Auditor-General)Selects an Activity’s Performance to examineIdentifies or Develops criteria to assess the activity’s performanceEvaluates the activity’s performance against the criteriaReports on the activity’s performance (Assurance Report)Responsible party/(ies)Administers the activityResponds to the report on the activity’s performanceReceives and responds to the report on the activity’s performanceResponds to the assurance practitioner’s requests to provide information on the activity’s performance

Under their legislative mandate, the AuditorGeneral selects an activity, conducted by the responsible party(ies), to be the subject matter of a performance engagement. The AuditorGeneral identifies the performance principle(s) (for example, economy, efficiency, effectiveness, and/or ethics) to be applied and develops suitable criteria against which to assess performance. The AuditorGeneral evaluates the performance of the activity against those identified criteria (in terms of the performance principle(s) to be addressed) and presents the resulting subject matter information (for example, analysis and findings) as part of, or accompanying the assurance report. The Auditor-General also applies assurance skills and techniques to obtain assurance on which to base their conclusion. The assurance report is ordinarily tabled in Parliament.

Appendix 4

(Ref: Para 16, 57)