Chapters 301 to 305

301. Terms of the audit engagement

Guidance

301.7 The engagement letter is sent to the Accountable Authority of a Commonwealth entity (normally the Chair of the Accountable Authority where the authority has more than one member).

301.8 ASAE 3000 paragraph 27 requires the agreement of the Accountable Authority to the engagement terms. As an independent officer of the Parliament, the conduct of the ANAO’s performance statements audits is conducted under the Auditor-General’s discretion not subject to the agreement of the audited entity and as such an acknowledgement by the auditee about their responsibilities is suitable¹.

301.9 Paragraphs 301.3 and 301.4 list situations where ANAO policy requires an engagement letter to be revised and re-issued or requires the attention of the entity to be drawn to the existing terms. Subject to these specific policy requirements, it is a matter for judgement by the Engagement Executive whether to formally confirm the terms of engagement or to draw attention to existing terms. The list of circumstances in paragraphs 301.3 and 301.4 is not exhaustive, and the Engagement Executive needs to be alert to other circumstances where an entity needs to be advised of revised terms of engagement or reminded of the existing terms. Examples where the Engagement Executive may need to consider re-issuing or drawing the entity’s attention to the terms of engagement include:

1. a change of several Board members (other than the Board Chair);
2. a change of Audit Committee Chair; and
3. a significant change in nature or size of the entity’s business, e.g. by the addition of functions following the issue of new or revised Administrative Arrangements Orders (AAOs).

301.10 Typically, a new formal agreement with the entity is needed when the matters covered by the current engagement letter change or new conditions relevant to an engagement arise. Examples are changes in governing legislation, respective responsibilities or reporting requirements. In this situation, formal acknowledgement on behalf of the entity of the revised terms of engagement is needed from the (head of the) Accountable Authority.

301.11 Where the existing terms of engagement are unchanged but there is a need to draw the entity’s attention to the existing terms, a response from the entity is not required.

301.12 The applicable legislation for performance statement audits is ordinarily the PGPA Act and the A-G Act. In unusual circumstances there may be other legislation that serves to amend the reporting or auditing requirements with respect to performance information. In those circumstances engagement teams are required by this policy to consult with PSG to suitably amend the engagement terms to accommodate any such legislation.

302. Role and responsibilities of the Group Executive Director

Guidance

302.7 The key activity of the PSASG GED is set out in the Service Group business plans.

302.8 The PSASG GED manages the audit services groups and manages audit quality at a group level over performance statements audits. The responsibilities prescribed in this manual are not intended to restrict the GED from establishing practice management or further appropriate quality assurance business processes as the GED determines is necessary in the circumstances within the scope of the A-G Act, the ANAO Auditing Standards, and any other ANAO policy or legal requirements.

302.9 For high risk audits, the GED is expected to be more involved in the monitoring of audit planning, execution and reporting, including significant matters arising during the audit. The appointment of the PSASG GED as Engagement Quality Reviewer (EQR) in accordance with Chapter 8 of the Shared Content and Chapter 312 of this volume may increase the GED’s involvement. However, in circumstances where a different officer is appointed as EQR Chapter 312 requires consideration of the level of involvement of the PSASG GED as part of the response to the audit risk.

302.10 This involvement would not include specific direction, supervision and review of procedures and workpapers for individual performance statements audits, unless the PSASG GED has been assigned a formal role on the audit (such as being the signing officer or an E Q R) or was conducting specific roles reserved for the responsible GED under this part of the audit manual or under the Shared Content volume (such as a consultation required by Chapter 8 of the Shared Content).

303. Role and responsibilities of the Engagement Executive

Background

303.1 This policy sets out the responsibilities of the Engagement Executive in a performance statements audit.

303.2 The Engagement Executive is the ‘lead assurance practitioner’ for the purposes of the Standards on Assurance Engagements. Audit Executives for performance statements audits will be determined in accordance with the audit delegations.

Guidance

Responsibilities of the Engagement Executive

303.11 The responsibilities in the auditing standards which this policy places on Engagement Executives include the following:

1. the overall quality on each audit engagement to which the Engagement Executive is assigned.
   
   1. Through their actions and appropriate messages to the engagement team, the Engagement Executive should emphasise the importance of compliance with ANAO Auditing Standards and quality control policies and procedures. In addition, the engagement team should have the ability to raise concerns without fear of reprisals. Quality is essential in performing audit engagements, and the overall quality of the audit will be helped by ensuring that the audit is performed consistent with ANAO standard methodology;
2. the engagement team’s compliance with relevant ethical requirements including APES 110.
   
   1. These include the principles of integrity, objectivity, professional competence and due care, confidentiality and professional behaviour. The Engagement Executive should remain alert for evidence of non-compliance and if it should occur, in consultation with others, determine the appropriate action;
3. the engagement team’s compliance with Chapter 5 of the ANAO Audit Manual — Shared Volume which prescribes ANAO’s independence policy;
4. supporting the PSASG GED to apply appropriate procedures regarding acceptance and continuance of audit engagements when considering a request from the Finance Minister or responsible Minister under section 40 of the PGPA Act or designation of a performance audit on performance information under section 18B of the AG Act.
   
   1. These procedures should include consideration of the integrity of those charged with governance and management, competence of the engagement team and compliance with ethical requirements. All conclusions reached should be documented within the audit file;
5. communication of the role of Engagement Executive and, where different, the Signing Officer, to key members of auditee management and those charged with governance;
6. the appropriate planning of the engagement consistent with ASAE 3000 paragraph A57 Assurance Engagements Other than Audits or Review of Historical Financial Information;
7. the assignment of engagement teams and auditor’s experts which collectively have the appropriate levels of competence and capabilities.
   
   1. The Engagement Executive is required by the ANAO Auditing Standards to be satisfied that the competence and capabilities of the audit team will ensure performance of the audit engagement consistent with professional standards and regulatory requirements, and enable an auditor’s report that is appropriate in the circumstances.⁴ When considering the competence and capability of the engagement team as a whole, the Engagement Executive may take into account such matters as the team’s understanding and practical experience of audit engagements of a similar nature, their understanding of professional standard and regulatory and legal requirements, technical expertise, ability to apply professional judgement and understanding of the ANAO’s quality control policies and procedures;
8. the direction, supervision and performance of the engagement consistent with professional and auditing standards and regulatory and legal requirements. The Engagement Executive should document the extent and timing of their reviews. Refer to the policy Direction, Supervision and Review (ANAO Audit Manual — Shared Content, paragraphs 8.2–8.4) for further guidance;
9. ensuring that sufficient and appropriate audit evidence exists and is documented to support the conclusions reached and for the auditor’s report to be issued.
   
   1. In line with the ANAO policy Audit Documentation (ANAO Audit Manual — Shared Content, paragraphs 9.2–9.15) the only work that should be done after the signing of the auditor’s report is that of an administrative nature;
10. following appropriate procedures for consultations and differences of opinion, and in particular, ensuring compliance with the ANAO policy on Differences of Opinion (ANAO Audit Manual — Shared Content, paragraphs 8.74–8.83);
11. determining that an EQR has been appointed by the PSASG GED, as required by the ANAO Auditing Standards and ANAO policy (Refer to the Engagement Quality Review (ANAO Audit Manual — Shared Content, paragraph 8.44);
12. discussing the susceptibility of the performance statements to material misstatement, particularly due to fraud, with the engagement team; and
13. enough involvement in the audit engagement at appropriate stages throughout the engagement including attendance at key meetings, discussions with the engagement team, EQR and Signing Officer (where appropriate) and the completion of the planning and completion checklists at the appropriate stages of the audit.

Assistance from Audit Manager

303.12 Engagement Executives are assisted by the Audit Manager and team allocated to the engagement in fulfilling their responsibilities, including assistance with:

1. consideration of whether the audit should be delivered through in-house or externally contracted resources;
2. ensuring all audit related documentation is filed;
3. planning the scope of work to produce the audit deliverables in the agreed timeframe;
4. planning the time taken to prepare for, conduct and close the engagement;
5. delivering in accordance with agreed timeframes;
6. monitoring the costs associated with the audit, including recommending a variation to the budget if required;
7. ensuring the quality of the audit deliverables;
8. resourcing the audit to ensure that the audit team has the requisite skills to undertake the audit;
9. the direction, review and supervision of audit team members;
10. communication within the ANAO, among audit team members, and the entity being audited, and more broadly, other interested parties;
11. assessing and managing the operational and engagement risks associated with the audit;
12. the procurement of any specialist resources and any associated contract management;
13. documenting the agreed scope, timeliness and quality assurance arrangements in respect of any services required from other areas within the ANAO to contribute to a performance statements audit; and
14. ensuring all persons engaged in the audit complete the required independence documentation and action is taken to manage any declared conflicts as required.

303.13 Audit Managers are expected to regularly monitor progress against established audit milestones and document the actual date that audit milestones are achieved in the ANAO’s systems in a timely manner. The data held in those systems forms the basis of reports to ANAO senior executives.

303.14 When engaging with the entity being audited, especially on difficult or contentious matters, the Engagement Executive and audit team should ensure that a professional and productive approach is taken. This includes, for example, trying to understand the audited entity’s circumstances, operating environment and point of view.

303.15 The Engagement Executive should be aware of any risks to audit timeliness and budget, and escalate these as soon as practicable.

Relationship with the engagement quality review

303.16 Where an EQR has been appointed:

1. significant issues arising on an engagement should be considered by the Engagement Executive (and the Signing Officer if applicable), in consultation with PSG as appropriate, before consultation with the EQR to minimise compromising the EQR’s objectivity. Where there is a difference of opinion between the Engagement Executive (and the Signing Officer if applicable) and the EQR, ANAO policy on Differences of Opinion (ANAO Audit Manual — Shared Content, paragraphs 8.64–8.68) should be followed; and
2. the auditor’s report cannot be issued until the completion of the engagement quality review (Refer to the Engagement Quality Review (ANAO Audit Manual — Shared Content, Chapter 8).

303.17 Where an EQR has not been appointed, circumstances which may cause the Engagement Executive to seek to have an EQR appointed could include the emergence of an unforeseen risk of material misstatement, identification of areas which are complex or contentious, or an increased reputational threat to the ANAO.

Date of signing of the auditor’s conclusion

303.18 The date of signing of the auditor’s report should coincide with the date the performance statements are signed wherever possible. The Engagement Executive should endeavour to agree an audit timetable with the auditee that provides for the auditor’s report to be signed on the same date the performance statements are signed. Where there is a delay of greater than 2 days between the signing of the performance statements and the auditor’s report thereon, paragraph 332.11332.11 of this manual requires that to be brought to the attention of the PSASG GED.

303.19 Paragraph 61 of ASAE 3000 provides that a subsequent events review to the date of the auditor’s report must be undertaken and documented in the audit working papers. This includes any matters that occur between the Accountable Authority signing the performance statements and the signing of our auditor’s report.

304. Role and responsibilities of the Signing Officer

Background

304.1 The Signing Officer is the person who signs the audit report on the performance statements. In some cases, the Signing Officer may also be the Engagement Executive for the audit.

304.2 On some audits, the Auditor-General signs the audit report or delegates signing responsibilities to another executive other than the Engagement Executive for the audit. Where there is a separate Signing Officer, that officer has reduced involvement in the audit due to the Engagement Executive’s role however retains overall responsibility for the audit.

304.3 This policy requires the Signing Officer to review or approve key aspects of the audit and also provides the basis for the Signing Officer’s reliance on the Engagement Executive.

Guidance

304.6 Significant matters arising on an engagement should be considered by the Engagement Executive, in consultation with the Signing Officer as appropriate. Significant matters may include critical areas of judgement, difficult or contentious matters, high risks of material misstatement or other areas that the Engagement Executive or Signing Officer consider important.

304.7 The requirement for the Signing Officer to approve key aspects of the audit strategy is intended to ensure that the Signing Officer provides approval of the key judgements in the audit.

304.8 The application of materiality is a significant judgment on the audit, although this does not necessarily require the signing officer to approve every materiality threshold set by the audit team in planning the nature, timing and extent of the audit of audit procedures on individual performance measures.

304.9 The Signing Officer may review matters additional to those required by this policy. For example, the Signing Officer may review the interim or final management letters or the closing report.

304.10 Where the Signing Officer is the Auditor-General, Deputy Auditor-General or Group Executive Director, the information required by those officials to fulfil the requirements of this policy will ordinarily be limited to that specified at paragraph 303.6303.6 and through verbal briefings. Where further information is required, this will be requested by the Auditor-General or Deputy Auditor-General.

304.11 The Signing Officer’s approval of documents or key judgements and other significant matters are evidenced in the TeamMate file.

305. Role and responsibilities of the SADA Executive

Background

305.1 This policy sets out the responsibilities of the SADA Executive in a performance statements audit that engages the specialist skills of the SADA Group.

305.2 A SADA Executive is allocated to a performance statements audit or other assurance engagement consistent with ANAO Audit Manual — Shared Content volume, paragraph 6.4.

Guidance

305.4 The responsibility for the direction, supervision and performance of the SADA component of the engagement includes:

1. emphasising the importance of audit quality on each engagement;
2. tracking the progress and quality of the SADA component of the engagement;
3. considering the competence and capabilities of the SADA audit team assigned to the engagement;
4. ensuring that appropriate SADA procedures are planned and performed;
5. addressing significant SADA matters arising during the engagement and the impact on the planned approach;
6. ensuring the SADA work performed supports the conclusions reached and is appropriately documented; and
7. agreeing with the Engagement Executive any SADA services to be provided in a performance statements audit, the scope, timeliness and quality assurance arrangements for those services, as well as ensuring those services are appropriately resourced.

305.5 IT can pose specific risks to an entity’s internal control. Some examples of IT risks which may be relevant to performance statements audits are:

1. reliance on systems or programs that are inaccurately processing data, processing inaccurate data, or both;
2. unauthorised access to data that may result in destruction of data or improper changes to data, including the recording of unauthorised or non-existent transactions, or inaccurate recording of transactions. Particular risks may arise where multiple users access a common database;
3. the possibility of IT personnel gaining access privileges beyond those necessary to perform their assigned duties, thereby breaking down segregation of duties;
4. unauthorised changes to data in master files;
5. unauthorised changes to systems or programs;
6. failure to make necessary changes to systems or programs;
7. inappropriate manual intervention; and
8. potential loss of data or inability to access data as required.

305.6 Attendance at key meetings should be determined by the nature of the audit and the level of SADA involvement. If SADA involvement has been minimal and/or there are no material findings arising from SADA work performed, it may not be necessary for the SADA Executive to attend key meetings with the auditee and within ANAO. However, attendance at key meetings would be expected if there was extensive SADA involvement and/or material findings arising from SADA work performed.

Chapters 311 to 314

311. Understanding the entity and the performance measures subject to audit

Guidance

311.7 The collection of information about the entity and performance measures to be audited is a key element of planning for an audit.

311.8 Obtaining an understanding of the entity, its purposes, and the context in which the entity operates is an essential part of planning and conducting a performance statements audit. It includes gaining knowledge of the entity, its legislative and policy framework and the entity’s purposes and key activities.

311.9 Additionally, an understanding of the entity’s internal control and performance statement preparation processes is required to ensure that audit procedures are designed and executed in a manner that is responsive to the audit risk.

311.10 This understanding provides the auditor with a framework to:

1. form a view on the overall maturity of the preparer’s performance statement preparation processes and respond with an appropriate audit strategy;
2. design an effective and efficient audit approach using a combination of controls and substantive audit evidence;
3. identify and assess audit risks;
4. identify engagement risks and assess materiality;
5. identify whether there is the need for specialist skills or the work of an expert; and
6. estimate resource requirements.

Types of information to be collected

311.11 The types of information that it may be appropriate to collect about the performance statements auditee includes:

1. purposes of the entity⁷;
2. the programs and key activities of the entity including the intended outputs and outcomes, delivery methods and constraints;
3. the performance measures of the entity as prescribed in the entity’s portfolio budget statements, portfolio additional estimates statements and corporate plan;
4. external accountability relationships — who the stakeholders and clients are and what their interests are in the entity;
5. internal accountability relationships — such as organisational arrangements, delegations and committee structures;
6. resources — the physical, financial, human and information resources available to the entity;
7. applicable legal and policy frameworks/requirements for the activity
8. internal controls processes, including:
   
   1. governance arrangements, including audit committees;
   2. internal performance measures used by management;
   3. the processes used by management to ensure the integrity of the reported performance measures;
   4. the nature and frequency of internal reporting on performance;
   5. the systems and controls in place for controlling the entity’s resources;
   6. the systems and controls used to collect the underlying records for performance statements;
   7. risk assessments used by management; and
   8. the role of internal audit;
9. the entity’s legislation and governance framework;
10. the external environment — factors that influence the entity’s operations, over which the entity may have little control, such as economic, social, and political influences, with a particular focus on changes to that environment; and
11. other information on the entity.

Sources of information

311.12 In accordance with ASA 315 Identifying and Assessing the Risks of Material Misstatement and other financial statement auditing standards, a substantial amount of information about the entity’s legislative framework, systems of internal controls, compliance with laws and regulations and internal audit activity is collected and analysed by the financial statements audit team of a Commonwealth entity. This information will normally be directly relevant to financial performance measures and directly or indirectly relevant to other aspects of the entity’s performance. It is therefore important for performance statements and financial statements audit teams to work together to coordinate collection of information from auditees, share insights and implement a joined-up approach to auditing.

311.13 SADA’s cumulative audit knowledge about major Commonwealth government IT systems may provide useful background information about key potential IT aspects of the performance statements audit.

311.14 Background information may also have already been collected as part of the ANAO’s annual planning process or as part of a relevant performance audit. In accordance with ASAE 3500 Performance Engagements, performance auditors gather information about the business processes, legislation and activities relevant to the performance engagement. It includes gaining knowledge of the entity that is responsible for the activity, and where relevant, the broader program of which the activity is part of. The information typically gathered is described in detail in Chapter 205 of the PASG content of this manual and is likely to be relevant to a performance statements audit where a performance measure relates to an area of performance audit activity.

311.15 In addition, the audit team should hold discussions with the entity, including internal audit, and obtain and review documentation, including:

1. relevant policies, plans and procedures; and
2. reports on any evaluations or reviews.

311.16 The information-gathering powers in the A-G Act can be used to obtain information and documents required for planning an audit. However, in practice, the information-gathering powers are used as ‘reserve’ powers and access to required information is almost always obtained through cooperation with entities. Detailed policy and guidance about using these powers is provided in Chapter 2 of the Shared Content volume of this manual.

312. Engagement risk rating

Background

312.1 The assessment of engagement risk helps the Auditor-General, the PSASG GED and PSASG Engagement Executives identify professional risks associated with auditees and engagements of the ANAO at a whole-of-practice and individual engagement level. The determination of engagement risk provides a basis to determine whether additional quality control responses in accordance with ASAE 3000 are required.

Guidance

Components of engagement risk

312.10 When assessing engagement risk, one relevant risk is the risk of material misstatement, which is a risk posed by the circumstances of the engagement and reflects the risk prior to the conduct of the engagement that the performance statements contain material misstatements. The auditor’s procedures in response to the risk of material misstatement are designed to reduce audit risk to an acceptably low level in each engagement.

312.11 However, for the purposes of managing risk for the ANAO as a whole, engagement risk also encapsulates other risks to the Auditor-General and the ANAO arising from the conduct of the engagement that is separate or additional to the risk of material misstatement. These risks are referred to collectively as “Other Professional Risks”.

312.12 PSASG uses an engagement risk rating scale of low, moderate and high. The rating assigned to an auditee is based on professional judgement relating to the auditee’s particular circumstances.

312.13 Sources of engagement risk are cumulative and should be considered collectively to assess the overall risk.

Risks of material misstatements

312.14 For audits of performance statements, the risk of material misstatement includes the risks that the auditor does not directly influence: inherent risk and control risk. As applied to performance reporting, these concepts are defined as:

1. Inherent risk: the susceptibility of the performance statements to a material misstatement before consideration of any related controls applied by the auditee’s Accountable Authority; and
2. Control risk: the risk that a material misstatement that occurs in the performance statements will not be prevented, or detected and corrected, on a timely basis by the internal control implemented by the auditee.

312.15 Assessment of risk of material misstatement does not take into account the ANAO’s planned audit response to reduce the residual risk to an acceptable level. Overall, this means that for an audit of performance statements, the risk of material misstatement is the risk that the performance statements are materially misstated prior to audit. The risk that the auditor is able to directly influence is the risk that the procedures performed by the auditor will not detect a material misstatement and is known as detection risk.

312.16 The assessment of the risk of material misstatement is central to the risk-based audit approach, and requires the engagement team to:

1. understand the entity and its environment, including internal control;
2. assess the risks of material misstatement for the performance statements, whether due to fraud or error; and
3. design and perform audit procedures to reduce audit risk to an acceptably low level.

312.17 TeamMate contains templates in the A.2: Understand Entity and its Environment which help in determining the risk of material misstatement for an auditee and may be used as the basis for recording the preliminary risk assessment required by paragraph 312.4 above.

312.18 Relevant factors for consideration when determining performance engagement risk include:

312.19 Potential indicators that there is a high level of audit risk may include:

1. highly complex entities with multiple purposes, activities or programs;
2. complex performance measures;
3. performance measures relying on significant judgement by the measurer;
4. deficiencies in corporate governance;
5. substantial reliance on third parties;
6. significant business risks which impact on the performance of the entity as a whole;
7. poorly controlled, or changing, processes and systems;
8. complex or bespoke IT systems;
9. frequent changes in key personnel, systems or programs which are not well managed; and
10. previous financial, performance or performance statement engagements that may have reported on significant findings.

312.20 The assessed risk of material misstatement is communicated to the auditee as part of formal communication at the planning stage. Subject to the agreement of the PSASG GED, low and moderate engagement risk ratings may be communicated to the auditee as ‘normal’ risk.

312.21 Reporting to the Parliament may use the low, moderate and high risk rating approach in line with the TeamMate file workpapers. The low or moderate rating can be communicated with the auditee formally or informally, as considered appropriate by the relevant Engagement Executive.

312.22 Key individual risks of material misstatement (i.e. those assessed as significant and relevant) that are identified during audit planning should be evaluated to consider their impact on the engagement risk. The risk level of the identified risks should be determined by assessing the likelihood and potential impact of each risk.

Other professional risks

312.23 While the assessment of the risk of material misstatement is central to the ANAO’s risk-based audit approach, it does not address all of the risks that the Auditor-General must manage to effectively deliver on all of the functions provided under the A-G Act. To assist the Auditor-General to manage these risks, it is the responsibility of the PSASG GED and Engagement Executives to identify and respond to other potential risks arising out of conduct of individual engagements.

312.24 While the A-G Act provides the ANAO with expansive powers, independence and indemnities, the Office and the Auditor-General are not immune from litigation. The possibility of legal action being taken by an auditee or other interested party due to the conduct of a PSASG engagement may impinge upon the professional reputation and independence of the Office.

312.25 In some other circumstances there may be a reputational risk arising from the conduct of an audit. Reputational risks may arise because of perceptions about the appropriateness, competence or role of the Auditor-General. Examples may include:

1. politically sensitive subject matters where the ANAO’s audit conclusion may be perceived as supportive or unsupportive of areas of government policy;
2. stakeholder understanding or expectation is different from the audit objective and criteria, resulting in an expectation gap between the scope of the audit and the expectations of the users. For example, the ANAO may issue an unmodified auditor’s report on performance statements which indicate that an auditee met its performance targets where there is significant stakeholder dissatisfaction with the auditee’s performance;
3. breaches (or apparent breaches) of confidentiality and privacy provisions of the A-G Act, Parliamentary conventions, other legislation and community expectations;
4. difficult or contentious relationships with auditees, particularly those likely to lead to public disagreements;
5. the ANAO being perceived as unpragmatic, unrealistic or otherwise inconsistent with relevant stakeholder expectations; and
6. the ANAO not being perceived as independent because of a conflict between the ANAO’s mandate and relevant professional independence requirements.

312.26 In some cases, no amount of additional audit work will significantly reduce the risk arising from Other Professional Risks, however the employment of additional quality assurance and risk management procedures will provide the Auditor-General with additional confidence that the work performed is appropriate and will stand up to scrutiny.

Roles, Responsibilities and Appointment of EQRs

312.27 Where it is determined under this policy that an EQR is to be appointed, the roles, responsibilities and appointment of the EQR are determined by the Engagement Quality Review policy (refer to ANAO Audit Manual — Shared Content, paragraphs 8.42–8.52).

Public interest entities

312.28 Public Interest Entities (PIES) are a concept under the financial statement assurance independence requirements in APES 110 and refer to those auditees which have a fiduciary or other financial trust relationship with a large number and wide range of stakeholders.

312.29 Annually the FSASG GED determines which entities are PIEs, and for those entities, additional quality control and independence requirements apply to the financial statement audit, including the appointment of an Engagement Quality Reviewer.

312.30 The PIE concept does not apply to other audits, including performance statement audits and therefore there are no direct consequences to the performance statement audit arising where the FSASG GED determines that auditee to be a PIE. However, where a performance statement auditee is considered a PIE by FSASG, the audit team should consider whether the reasons for that auditee being designated a PIE are relevant to the assessment of the auditee’s performance statements engagement risk.

313. Materiality

Guidance

Materiality

313.26 Materiality considerations affect decisions concerning the nature, timing and extent of audit procedures and the evaluation of audit results. Considerations may include the value of expenditure for the activity being measured, stakeholder concerns, public interest, regulatory requirements, and consequences for society. Materiality can vary over time and can depend on the perspective of the intended users and responsible parties.

313.27 Audit effort is directed at areas that present a risk of material misstatement, meaning that the audit strategy is designed to reduce the risk of material misstatement to a suitably low level. The level of risk of material misstatement reflects the auditor’s assessment of the risk that, prior to the conduct of the audit activities, material misstatements exist in the performance statements, whether due to fraud or error.

313.28 Materiality considerations should include the assessment of the appropriateness and completeness of performance information.

313.29 Materiality pertains to the information needs of intended users. Ultimately a misstatement will be determined to be material under Chapter 325 of this manual if it, individually or in aggregate, could reasonably be expected to influence relevant decisions of intended users taken on the basis of the subject matter information. Relevant decisions include the conduct of accountability and transparency through the parliamentary process.

313.30 ANAO considers the Parliament to be the primary users of our audit work. Reporting to the Parliament achieves accountability and transparency, consistent with ANAO’s purposes. Other key users that are relevant to our materiality considerations include the general public and other stakeholders who would use the Performance Statements to assess performance of the Department. For example, a peak body representing universities may rely on the Department of Education and Training’s performance statements to understand how university-related programs are working.

313.31 The ANAO’s performance statements auditor’s reports are addressed to the Finance Minister or the responsible Minister and the Executive Government is also a user of the performance statements. While the Executive Government are an important and relevant user to consider, the authority of Ministers to direct Commonwealth Entities to provide them with information means that Executive Government information needs are sometimes less relevant to the purposes of accountability and transparency.

313.32 ANAO performance statements audits presume that performance measures are material. The executive government identifying an individual program to the Parliament through the budgetary process indicates that the executive government has assessed that the program is important to the achievement of the entity’s purposes.

313.33 Relatively small programs could have qualitative aspects of their delivery which are material to the affected constituents and other stakeholders. Portfolio Budget Statement preparation rules require at least one high level performance criterion for each program and a full suite of performance measures for new programs or materially changed programs.

313.34 These presumptions serve a similar purpose in planning the audit to an overall performance materiality threshold in a financial audit. The nature of the Commonwealth’s performance reporting framework makes a definitive overall financial materiality impracticable, as the objective of performance reporting in the Commonwealth is to address the broad-based non-financial performance of an entity. Performance reporting involves a mixture of measures (outputs, efficiency, and effectiveness) including qualitative and quantitative information about key activities (the activities that address the purposes of the entity) such that there is no central single driver of performance (unlike financial reporting where the overall performance and position of the entity can be meaningfully summarised in monetary terms).

313.35 The presumption that all appropriate measures are material is rebuttable in limited circumstances. Where the audit team determines that a purported performance measure does not relate directly to the auditee’s purposes or key activities, they may conclude that the auditee not reporting the outcome of this performance measure in the performance statements does not give rise to a material omission according to paragraph 313.13 of this chapter.

313.36 The fact that all appropriate measures are considered material does not imply that the same level of work should be done for each measure in this category, as the level of work will be influenced by other factors, including:

1. the susceptibility of the performance measure to material misstatements without regard to the possible impact of any controls and our procedures (i.e. the inherent risk of misstatement for the performance measure — how likely there is a misstatement in the population that should be prevented or detected by the auditee’s internal controls and our audit). The greater the inherent risk, the more audit work will be required for the auditor to be satisfied that the residual risk of undetected misstatements has been reduced to a suitably low level (this may include controls tests and substantive tests or only substantive tests).
2. the tolerance of users of the performance statements for a misstatement in the measure (e.g. for a measure about significant legislative breaches, the users may not tolerate any misstatement other than that which is clearly trivial, but for a measure about the estimated level of satisfaction amongst stakeholders, users are more likely to accept that a reported result is an approximation and cannot be accurate to the same level). The level of misstatement that is acceptable in each circumstance will affect the nature and extent of testing, including the number of items or transactions not being tested (in a targeted approach) or the number of sample tests (in a representative sampling approach).

313.37 Guidance in respect of accumulating audit differences and applying materiality to misstatements to form a conclusion is at Chapter 325 Forming the audit conclusion.

Materiality and performance engagement risk

313.38 Materiality and audit risk need to be considered together, as considerations of materiality will consequently impact audit risk.

313.39 Audit risk includes the risk of expressing an inappropriate conclusion based on evidence that is not soundly based. This may include evidence that is improper or incomplete as a result of inadequacies in the evidence gathering process, misrepresentation or fraud. It also includes operational risks that an audit will not be completed in accordance with the approved budget and timeframe and to the required quality.

313.40 Determining materiality and audit risk as a team, with Engagement Executive leadership, is vital to avoiding under or over-auditing. This can result where team members have different views on materiality and audit risk.

313.41 Audit risk is assessed in planning and throughout the conduct of a performance statements audit. The assessment of audit risk requires the audit team to:

1. understand the entity, its activities and its environment;
2. assess risks to the audit conclusion; and
3. design and conduct audit procedures to reduce audit risk to an acceptably low level.

Application of materiality concepts to ancillary information

313.42 The performance statements, including commentary, analysis and ancillary information, should present a fair, balanced and understandable view of the entity’s performance in achieving its purposes.

313.43 The audit includes procedures to assess the statements’ veracity, particularly whether it presents a balanced perspective of the performance results overall. This includes considering the quality and reliability of the analysis, such as the reasons for not meeting targets, as well as the quality and accuracy of commentary and other information.

313.44 In making this assessment the auditor remains alert to positive/negative bias or irrelevant information in commentary and considers whether the additional information is presenting a view which is inconsistent with the performance measures and financial results. For example, auditors may consider whether the additional information obscures material information or makes the performance statements less readable. Where inconsistencies are identified the auditor should consider whether the information represents a material misstatement. In accordance with Chapter 325325 of this manual, such potential or actual misstatements would be considered firstly on the impact on the performance measure itself but also against the related key activities/programs, outcomes, then the performance statements as a whole.

314. Planning audit procedures

Guidance

314.4 Documentation of the planned audit procedures include the nature, timing and extent of evidence-gathering procedures and the rationale for selecting the approach.

314.5 When determining the extent of time and resources required for planning, audit teams are to consider:

1. the audit team’s experience with and understanding of the entity and the audit topic;
2. the size of the team;
3. the level of the audit team’s auditing experience;
4. the scope of the audit in terms of the size, variety and technical complexity of the activities and performance measures of the audited entity; and
5. the complexity of the proposed tests and evidence-gathering techniques.

314.6 The planned audit procedures documentation includes:

1. the types and expected sources of audit evidence, including substantive and controls-based procedures;
2. the techniques planned to be used to gather evidence;
3. the planned audit procedures, including timing and extent;
4. personnel and expertise requirements, including the nature and extent of the use of specialists or experts when applicable;
5. the allocation of tasks to be performed by audit team members;
6. materiality; and
7. assessment of audit risk.

314.7 Planning is not a discrete phase but a continual process, and the test program may need to be revised to reflect any changes in the planned approach. It is recommended that updates to the planned approach and rationale are documented to explain why the change was necessary.

314.8 As part of planning and conducting a performance statements audit, the audit team is required to obtain an understanding of the entity and the programs and activities pertaining to the entity’s performance statements. This should include making an assessment of whether fraud, or related wrongdoing, may have a significant impact on the performance statements. It is not the auditors’ responsibility to prevent or detect fraud or other wrongdoing through the conduct of their audits. This is the responsibility of the entity itself. The ANAO is also not in a position to determine whether a fraud or other wrongdoing has actually occurred.

314.9 It is, however, the auditor’s responsibility to detect material misstatements in the performance statements that may occur as a result of fraud, including intentionally misstated performance information designed to obscure the misappropriation of assets or to misrepresent the entity’s performance. This risk may be elevated because excessive pressure exists for management to meet the requirements or expectations of third parties, and systems for recording performance information may be less mature than those for recording financial information.

Materiality considerations

314.10 The consideration of materiality is relevant to all aspects of performance statements audits. Therefore, the auditor needs to consider materiality when identifying which activities and performance measures are to be tested as part of the audit strategy, evaluating the evidence, identifying misstatements and developing the audit conclusion.

314.11 Quantitative factors affecting materiality relate to the magnitude of the potential or actual misstatements compared to performance measures that are expressed numerically (for example, for a performance measure based upon the production of 100,000 widgets, materiality considerations would be based around the number of widgets). The auditor needs to consider the aggregate effect of all misstatements that are more than clearly trivial both on the performance measure to which it relates and to the overall performance statements.

314.12 Qualitative factors affecting materiality may include such things as:

1. when a target has been identified, whether the result of a potential misstatement affects the measurement of the achievement of the target (; (this may include a threshold or benchmark value not formally identified in the auditee’s corporate plan but which users of the performance statements would have regard for, such as a target specified in legislation or a government policy);
2. the interaction between, and relative importance of, various components of the activity or performance measure when it is made up of multiple components, such as an activity with numerous performance measures;
3. whether a potential or actual misstatement affects compliance with law or regulation;
4. the effect of an adjustment on past or current activities or is likely to affect future activities;
5. whether a misstatement is significant having regard to known previous communications to users;
6. whether a particular aspect of the activity or performance measure is significant with regard to the nature, visibility and sensitivity of the audited entity;
7. whether the health or safety of citizens is affected; and
8. any other aspect which relates to the achievement of transparency or accountability with respect to the entity’s performance.

Chapters 321 to 325

321. Entity security requirements

Guidance

321.4 When allocating resources to an audit, the likely level of security clearance required should be considered, and staff should be allocated accordingly where possible.

321.5 The audit team needs to give regard to the reasonable security requirements of the entity being audited.

321.6 For further information, the audit team can refer to the ANAO’s Personnel Security Policy, available on MyANAO Protective Security page.

321.7 There are a number of factors that the audit team can consider when assessing the reasonableness of the entity security requirements. These include whether the requirements:

• impinge on access to documents and systems necessary to the completion of the audit;
• introduce barriers to the efficient conduct of the audit that are contrary to the exercise of access powers under the A-G Act; and
• do not provide for the same level of clearance for the audit team as the level of clearance for relevant entity personnel.

321.8 Entity ICT security protocols may be triggered in the event of inappropriate access. Inappropriate access may result in reputational damage to the ANAO as a trusted user of entity information and action against the individuals involved.

322. Gathering and verifying audit evidence

Guidance

Gathering audit evidence

322.12 In order to not be materially misstated, the performance statements must be based upon appropriate performance measures, and the measurement of the entity’s performance against those measures must be completely and accurately reported.

322.13 Audit evidence is information obtained and used to support the audit conclusion. The collection, analysis and use of evidence are essential elements of the effective conduct of a performance statements audit.

322.14 Decisions concerning the evidence-gathering process begin at the planning phase of an audit. The exercise of professional judgement concerning sufficient and appropriate audit evidence then continues throughout the audit. The audit team must assess whether the evidence obtained has the sufficient quantity and the appropriate quality. This assessment will inform the decision to obtain additional or different evidence.

322.15 Auditors need to have discussions with the auditees about the available evidence at the planning, interim and execution phases. They should ascertain the nature of the evidence and how it will need to be collected, analysed, and interpreted by the audit team.

322.16 It is important that the audit team obtains evidence from a variety of sources, as different perspectives and conclusions may be presented from multiple sources. It is necessary to continually identify potential sources of evidence during the conduct of the audit. This is because not all circumstances can be foreseen during planning.

322.17 The four main types of audit evidence and their sources are set out in the table below.

322.18 Appropriateness of audit evidence is attributed to both the relevance and reliability of the evidence. While the assessment of sufficiency and appropriateness is a professional judgement of the auditor in each case, auditors may find it helpful to consider the following generalised statements concerning evidence appropriateness:

• documentary evidence is more reliable than verbal evidence, but the reliability varies depending on the source and purpose of the document;
• testimonial evidence that is corroborated in writing is more reliable than verbal evidence alone;
• evidence based on many meetings together is more reliable than evidence based on a single or a few meetings;
• testimonial evidence obtained under conditions in which people may speak freely is more reliable than evidence obtained under circumstances in which people may feel intimidated;
• evidence obtained from a knowledgeable, credible and unbiased third party is more reliable than evidence obtained from the management of the audited entity or others who have a direct interest in the audited entity;
• evidence obtained when internal control is effective is more reliable than evidence obtained when internal control is weak or non-existent;
• evidence obtained through the auditor’s direct observation, computation and inspection is more reliable than evidence obtained indirectly; and
• original documents are more reliable than copied documents.¹³

322.19 When gathering evidence, it is important to remember that while individual pieces of data or information, such as date of birth, may not be sensitive or classified, combined with a person’s address and bank account details, the information in aggregate is likely to be more sensitive and will require appropriate handling and storage for privacy and/or security reasons.

322.20 Decisions concerning the retention in audit working papers of data and the results of analysis must balance the need to retain sufficient evidence to support the audit findings and conclusions with the need to reduce the risk of unnecessarily retaining sensitive or classified information. It may be possible, for example, to delete reference to one or more sensitive fields, such as tax file number, without affecting the sufficiency of the audit evidence in the working papers.

322.21 Audited entities will often facilitate the ANAO’s work by giving ANAO staff privileged (researcher) level access to their document management systems. It would be inappropriate to conduct an information search with the purpose of: monitoring an entity’s preparation of a response to an Interim Management Letter or a proposed auditor’s report; or gathering additional information after an audit has concluded.

Gathering evidence on attributes of good performance information

322.22 In the first stage of a performance statements audit, the engagement team focuses on assessing whether the performance measures are in accordance with the PGPA Rule, which includes that the performance measures:

• relate directly to one or more of the entity’s purposes or key activities;
• use sources of information and methodologies that are reliable and verifiable;
• provide an unbiased basis for the measurement and assessment of the entity’s performance;
• where reasonably practicable, comprise a mix of qualitative and quantitative measures;
• include measures of the entity’s outputs, efficiency and effectiveness if those things are appropriate measures of the entity’s performance;
• provide a basis for an assessment of the entity’s performance over time; and
• have specified targets where it is reasonably practicable to set a target.

322.23 Where performance measures are judged to be appropriate, this means the auditor has concluded that they are capable of being included by the auditee in the preparation of complete and accurate performance statements, and the auditor can therefore infer that they implicitly address the attributes that are features of effective performance information. From the assessment of the appropriateness of an entity’s performance measures, the seven attributes of appropriate performance measures are considered and therefore also form the basis of the audit’s risk assessment for the completeness and accuracy of the performance statements

322.24 Attributes or financial statements audit assertions may be a useful way for the auditor to consider the different types of potential misstatements that may occur for appropriate performance measure, and to design assurance procedures accordingly. While the attributes of appropriate performance measures (reliability, free from bias, etc) are useful general categories for thinking about the risk of material misstatement, auditors will be able to design more efficient and effective audit procedures where the risks of material misstatement are understood and identified at a more specific level.

Verifying audit evidence

322.25 Verifying audit evidence is the first step in analysing audit evidence to ensure that audit findings, conclusions and recommendations are based on sound evidence.

322.26 The risk, significance, and sensitivity of the matter to be reported will determine not only the nature and amount of evidence to be collected, but also the extent of verification.

322.27 Assessing information obtained from entity records is particularly important in circumstances where management information, such as program expenditures, is to be relied on. In these cases, it is essential that the completeness and accuracy of this information is assessed through appropriate audit testing to give the ANAO confidence that the systems and processes used to produce the information can be relied on. This may involve reviewing key system controls, testing a sample of transactions or a combination of those approaches.

322.28 Audit testing is required to be undertaken in these circumstances irrespective of when such information is obtained.

322.29 In addressing the requirements in 322.9, the auditor’s objective includes concluding whether the records are accurate and complete for the audit purpose. The testing of the completeness and accuracy of the auditee information does not necessarily require separate and additional work to other parts of the audit strategy. In the performance statements audit context in many circumstances the significant component of the audit work over the reported performance outcome will be testing the accuracy of the auditee’s records. Evidence over the completeness may be derived from evidence over the IT system, through reconciliation to trusted information sources, by testing how the auditee has satisfied themselves that the information is complete, or any other process. For some entity records, there may be a very low risk of incompleteness and therefore the level of work to address this requirement may only be minimal.

322.30 Having considered and determined an appropriate audit strategy for assessing the completeness and accuracy of the audit evidence, the audit test program should clearly document the basis on which the audit team is satisfied that sufficient and appropriate audit evidence has been obtained.

322.31 The ANAO’s policy in relation to sufficient appropriate audit evidence also applies to any work performed by an expert. When using the work of an expert to support audit findings and conclusions, it must be adequate for that purpose, recognising that the responsibility for the findings generated or conclusions drawn from the work undertaken by an expert rests solely with the ANAO.

322.32 Professional scepticism (ASAE 3000 paragraph A76) means an attitude that includes being alert to, for example:

1. evidence that is inconsistent with other evidence obtained;
2. information that calls into question the reliability of documents and responses to enquiries to be used as evidence;
3. circumstances that suggest the need for procedures in addition to those required by relevant ASAEs; and
4. conditions that may indicate likely misstatement.

322.33 The type of audit evidence gathered will determine the available verification approaches available:

322.34 There are a number of different approaches to test completeness and accuracy of internally generated reports, and each approach provides a varying level of comfort. Professional judgement is required to determine the most appropriate method in the circumstances based on an understanding of how the report is generated and the desired level of comfort.

Standard system reports

322.35 Where the auditee is utilising standard system reports the level of risk that the information reported in an internally generated report is inconsistent with the underlying information captured within the system is relatively low. When the controls for producing the reports have been tested, then there is a reasonable expectation that any errors would have been identified by the system. This does not necessarily mean that the underlying information captured by the system accurately records the events or transactions, unless there are controls in place that the auditor can rely upon that prevents or detects the capture of erroneous data.

322.36 Typical considerations to document include:

1. auditee does not have a development environment, or access to such an environment is limited to external vendor accounts;
2. review of change management logs shows no changes except expected vendor management transactions;
3. collaborative enquiry with different sources within the organisation confirms that the auditee does not undertake development/have access to the application source code;
4. ANAO understanding of the application based on knowledge and experience is that the application is ‘off-the-shelf’ and vendor supported; and
5. ANAO review of the standard user guides identifies the specific reports/controls to be part of the packaged application.

322.37 These are considerations only. It is important that the ANAO is comfortable that the standard reports are unable to be changed by the auditee and only by the vendor.

Technical re-performance

322.38 Technical re-performance involves reviewing the code (e.g. an SQL query) which is used by the system to produce the report. This can only be performed when the auditee is able to access the code, and when the audit team have appropriately skilled team members who can understand the code.

Using the work of other ANAO audit teams

322.39 Performance statement auditors should determine whether the work of the other ANAO audit teams can be used for the purpose of the performance statements audit by evaluating the following:

1. the timing of such work;
2. the nature of the work performance;
3. the extent of the audit coverage;
4. materiality levels set for both audits;
5. proposed methods of item selection and sample size;
6. the documentation of the work performance; and
7. review and reporting procedures.

322.40 As a basis for determining the areas and the extent of work which other ANAO audit teams have completed, the performance statements auditor should consider the nature and scope of the work that has been performed and its relevance to the performance statements auditor’s overall audit strategy and audit plan.

322.41 Examples of work of other ANAO audit teams that can be used by the performance statements auditors include the following:

1. testing of the operating effectiveness of controls by financial statement auditors or others;
2. tracing transactions through the information system relevant to reporting by SADA specialists; and
3. testing of compliance with regulatory requirements by a performance audit team.

322.42 Coordination between audit teams is effective when, for example:

1. discussions take place at appropriate intervals throughout the period;
2. the performance statements audit team informs the other ANAO audit teams of significant matters that may affect the other part of the ANAO;
3. the performance statements audit team is advised of and has timely access to relevant reports and is informed of any significant matters that come to the attention of other parts of the ANAO;
4. all auditors involved use TeamMate files to document their audit work to facilitate the review of the work by the main audit team.

323. Sampling and selecting items for testing

Background

323.1 The approaches available to the auditor for selecting items for testing are:

1. selecting all items;
2. selecting specific items (commonly known as targeted testing); and
3. representative sampling (both statistical and non-statistical).

323.2 The means by which items are selected for testing should be determined by the most efficient and effective means to obtain the necessary assurance given the characteristics of the performance measure.

323.3 There is no representative sampling approach specifically developed and implemented for performance statement auditing and performance statement auditors may choose the approach from either the financial statements or performance audit methodologies that is most suitable for the audit need.

323.4 The ANAO’s financial statements auditing representative sampling methodology (including controls, non-statistical and accept-reject testing) will generally be most appropriate to apply in circumstances where the audited information is financial in nature or where the control environment is effective. The financial statements audit methodology is a non-statistical methodology designed to be highly efficient in circumstances where the error rate is low.

323.5 The ANAO uses both statistical and non-statistical sampling methods. The ANAO non-statistical sampling approach is based on statistical sampling principles. Typically, non-statistical sampling will be more efficient than statistical sampling. The performance audit representative sampling methodology is a statistical approach and may be more suitable where the error rate is higher, for example because of a lack of controls over the recording of information.

323.6 In some situations, representative sampling may not be appropriate. For example, the auditor may use targeted testing or 100% selection of a population where individual items in a population are significant to the performance measure overall. In other situations, sampling may be less efficient than other acceptable alternatives because of the time it takes to examine a larger number of transactions.

323.7 When a decision is made to use a representative sampling approach, the objective ‘is to provide a reasonable basis for the auditor to draw conclusions about the population from which the sample is selected.¹⁴ When a decision is made to use a targeted testing approach, the objective is to provide a reasonable basis for the auditor to draw a conclusion on the targeted items only and no conclusion is drawn on the untested items or extrapolated to the population as a whole.

Guidance

323.18 The ANAO’s methodology for financial statement audit non-statistical sampling and accept-reject testing is described in Chapter 114 of the FSASG Specific volume of this Audit Manual, the Online Audit Guide in TeamMate and is supported by templates located on TeamMate — TeamStore.

323.19 The relevant references in the Online Audit Guide are:

1. Test of Controls (Non-statistical Sampling) — section 5403;
2. Test of Details (Non-statistical Sampling) — section 6201.4.1.6;
3. Test of Details (Accept-Reject Testing) — section 6201.3.1; and
4. Test of Details (Targeted Testing) — section 6201.2.

Statistical and non-statistical sampling

323.20 Although auditing standards recognise both non-statistical and statistical sampling, the preferred approach for performance statements is the use of non-statistical audit sampling. The primary advantages of statistical audit sampling are a statistically derived sample size and a statistically determined evaluation of sampling risk.

323.21 However, the advantages of statistical sampling do not outweigh the primary disadvantages, which include the use of formal techniques to:

1. determine the sample size;
2. determine the sample; and
3. evaluate the results.

323.22 Ordinarily, the application of non-statistical sampling will result in a sample size comparable to the sample size resulting from an efficient and effectively designed statistical sample, considering the same sampling parameters. Therefore, a properly executed application of non-statistical audit sampling through the use of the test of details sampling template will generally be the preferable approach.

323.23 In some circumstances, the use of a statistical approach may be appropriate where the parameters of the population are outside the range supported by the test of details sampling template, for example an error rate greater than 5%.

323.24 Samples chosen using the supplemental level of assurance and low level of assurance strategies will not provide sufficient substantive evidence on their own but may be suitable in certain parts of a broader audit strategy in certain circumstances. The supplemental level of assurance and low level of assurance strategies accept a higher level of sampling risk on the basis that audit evidence obtained from other audit procedures is contributing to the overall sufficiency of audit evidence. Further guidance on the levels of assurance to be obtained from different sampling approaches is provided at 6201.4.1.6 in the Online Audit Guide.

Stratification

323.25 In some circumstances, it may be convenient to divide a population into monetary or risk-based strata. The population is divided into sub-populations or strata and each stratum is treated separately. The calculation of sample size and selection of the items for testing for each stratum is done separately.

Sample selection techniques

323.26 Random sampling - all items in the population have the same probability of being selected. The auditor selects a random sample by matching random numbers generated by a computer or selected from a random-number table with sequentially numbered items in the population.

323.27 Systematic sampling - the auditor determines a uniform interval by dividing the number of physical units in the population by the sample size. A starting point is randomly selected in the first interval and one item is selected throughout the population at each of the uniform intervals from the starting point.

Judgemental selection

323.28 Haphazard sampling - a sample method that attempts to approximate a random selection by selecting sampling units without any conscious bias. This method of sample selection is not permitted in the ANAO unless the auditor gets the prior approval of the Engagement Executive. A situation where haphazard selection might be approved is in the audit procedure where the purpose of the audit test is to demonstrate that assets on hand or transactions that have occurred (such as a set of emails in an inbox) have been completely recorded in the auditee’s system. The unstructured nature of these sampling units may prevent the auditor from practically using an application to randomly or systematically select items. The rationale and approval are required to be documented in the working papers.

323.29 Other forms of judgemental sampling are not allowed as they are not prescribed by paragraph 323.16. Inappropriate forms of judgemental sampling for representative testing include intentional bias sampling and block sampling.

323.30 Intentional Bias - the auditor selects from the population based on some pre-determined criteria. The auditor consciously selects items which are believed to be representative. This form of selection is distinct from targeted testing which is a substantive sampling technique but is not appropriate for representative audit sampling. If this approach is considered, the audit team should implement a targeted testing or stratified approach which incorporates an element of targeted testing.

323.31 Block Sample - involves the selection of some contiguous items, for example items in sequence. It is common when conducting cut-off testing. This method of selection is a non-sampling technique and does not result in a representative sample.

Choosing a sample before period end (Interim testing)

323.32 Sampling populations will typically be for the full financial year. Where controls testing or substantive testing is to be performed before the end of the period, the auditor can estimate the total population and determine the sample size for the estimated population. The auditor can then test those sampled items that have occurred at interim and test the remaining sample at final. There are different methods of implementing this approach but any approach used must allow for each unit in the complete population having an equal chance of selection.

323.33 Should an auditor wish to draw a conclusion at a point in time before the period end, the population from which the sample is chosen needs to be defined at that point in time and the sample size generated accordingly.

Deviations and misstatements

323.34 The following paragraphs provide guidance on evaluating deviations and misstatements under the headings ‘controls testing’ and ‘substantive tests of detail’, respectively. When applying this guidance, regard should be given to the requirement for the auditor to obtain a high degree of certainty that deviations or misstatements are not representative of the population, by performing additional audit procedures.

Controls testing

323.35 The control testing sampling template is used for controls testing when using ANAO non-statistical sampling. Note that the sample sizes which are typically used in initial samples do not allow for any exceptions. The history of control deviations should be considered in deciding whether to use this approach.

323.36 If the auditee is able to fix identified control errors which are demonstrated to be isolated instances, the auditor can then select a ‘remediated sample’ and retest the control to form a conclusion on its effective operation. A ‘remediated sample’ is an additional sample selected from the population; the size of the remediated sample is smaller than the original sample and is generated by the control testing sampling template using the same initial parameters.

323.37 Remediation of errors is only appropriate where the auditee intends to revise all affected control events for the period and there is an intention to rely on these controls. Where the auditor is unable to determine if the exceptions are isolated instances which can be remediated, it may be possible to quarantine those transactions in which the errors where identified. For example, there may be a one-week period where a contractor was responsible for the operation of the control and it is possible to exclude transactions for that week from the population. The auditor can then select a remediated sample excluding those transactions and retest the control to form a conclusion on the controls for that part of the population not excluded.

Substantive tests of detail

323.38 Where the financial statements audit non-statistical sampling approach is used, any deviations would be assessed in accordance with the financial statements audit approach to projecting financial misstatements as described in Chapter 114 of the FSASG volume of this manual and the relevant provisions described above of the Online Audit Guide.

323.39 When applying a binary / attribute representative sampling approach (either accept reject or performance audit representative sampling), the audit team must assess whether the level of error/deviation detected in the initially chosen sample is acceptable given the expected level of error set when the sample size is chosen. If the error rate is greater than initially expected, both sampling approaches require additional samples to be selected and tested or the application of an alternative sampling approach.

323.40 In determining whether a binary / attribute sampling approach is an efficient and effective audit approach, audit teams should consider the impact of the expected error rate on the sufficiency and appropriateness of the audit evidence. For example, if the expected error rate is 15% and the quantitative materiality for the related performance error is 5% the audit testing completed will not be sufficiently precise for the auditor to conclude that the performance result is not materially misstated.

323.41 Projected errors based upon representative tests of details may be suitable for determining whether the residual risk resulting from identified misstatement is acceptable to the auditor but are not suitable bases for the auditee making an adjustment to their reported results. Where the detected error rate is too high for the auditor to tolerate, the auditee will need to perform its own procedures to determine the appropriate amendments required to allow the auditor to perform additional testing to be satisfied that the adjusted figure is not materially misstated.

323.42 In determining the level of assurance required from a representative sample, all substantive sampling approaches provide for a high or moderate level of assurance which indicates the level of sampling risk is approximately 5%-10% (high assurance) or 15% to 27% (moderate). In some circumstances a low level of assurance with a higher level of sampling risk may be appropriate. A sample size giving a high level of assurance from a representative sample may be required where the sample being selected is the principal evidence over a performance measure at a moderate or higher level of risk.

323.43 Alternatively, if the audit had obtained evidence about the design, implementation, and operating effectiveness of controls over the performance measure it is less likely that a high level of assurance is required from the substantive audit sample. Similarly, if there are multiple substantive samples or other sources of substantive audit evidence (such as an analytical review procedure or evidence obtained from relying upon financial audit procedures) may support the audit team to conclude that a lower level of assurance is required from the planned substantive sample.

324. Representation letters

Guidance

324.9 The auditor is required under the auditing standards to get written representations from management and, where appropriate TCWG, that they believe they have fulfilled their responsibilities, and to support other audit evidence in the performance statements. The written representations are written statements from management and TCWG to the auditor which attest to them having fulfilled these responsibilities and may be used to confirm other specific audit matters. A representation letter may be used to focus management’s and TCWG’s attention on particular matters and thus cause them to specifically address those matters in more detail than would otherwise be the case.

324.10 Written representations are requested from those responsible for the preparation of the performance statements. Those individuals may vary depending on the governance structure of the entity and relevant law or regulation; however, management (rather than TCWG) is generally the responsible party. Written representations may therefore be requested from the entity’s chief executive and, if considered appropriate, the management official with delegated authority for the preparation of the performance statements.

324.11 In rare and exceptional circumstances, the auditor may conclude that written representations should be sought from TCWG (i.e. the board of directors of corporate Commonwealth entities) as well as those sought from management as additional audit evidence to address a particular risk of material misstatement. Examples of such circumstances include:

1. where the auditor believes that management have not discharged their responsibility for the preparation of the performance statements; or
2. where the auditor considers it necessary to request representations which only TCWG are able to provide; for example, representations that relate to strategic decisions by the Board of Directors which only directors are able to provide.

324.12 Each year, PSG releases an updated MRL template that reflects the latest relevant auditing standards and the PGPA Rule. These templates should be used and tailored for individual auditees, in particular where additional representations are required in the specific circumstances of an entity. Rarely, a representation in the PSG template may be omitted if it is not required by the auditing standards and is not relevant to the entity. Approval for such omissions is required from the PSG GED in accordance with 324.6.

324.13 PSG does not maintain a template that can be used to obtain written representation from TCWG. When an Engagement Executive decides to obtain written representations from the directors of a corporate Commonwealth entity, those written representations should be in accordance with the ANAO Auditing Standards. The Engagement Executive should consult with PSG before seeking written representations from directors.

324.14 When there is a delay between signing the RL(s) and the auditor’s report, the auditor should consider the necessity to undertake additional procedures to ensure that no matters have arisen subsequent to the date of the RL(s) which impact on the auditor’s report.

324.15 Written representations provide necessary but not sufficient audit evidence; that is, a representation does not in itself provide sufficient appropriate audit evidence. Circumstances where other appropriate audit evidence does not exist are anticipated to be relatively rare. However, if they do arise, such circumstances can give rise to a limitation of scope, and where it is material, the matter should be referred to QTAC as per the ANAO Audit Manual — Shared Content, paragraph 8.86.

324.16 If management or TCWG provide a representation which is contradicted by other audit evidence, the auditor should investigate the circumstances and reconsider the reliability of other representations made as necessary.

324.17 The auditor is required to re-consider the possible effects on their audit conclusion of the performance statements if there is doubt about the integrity of management or TCWG. This occurs when the representations required are not reliable, or if the representations requested are not provided.

325. Evaluating misstatements and forming the audit conclusion

Background

325.1 In considering misstatements identified during the audit, the auditor’s objective under ASA 450 Evaluation of Misstatements Identified during the Audit is to evaluate:

1. the effect of identified misstatements on the audit; and
2. the effect of uncorrected misstatements, if any, on the performance statements.

Guidance

Types of misstatement

325.20 There are four main types of misstatements in quantitative and qualitative performance measures:

1. omissions of information;
2. incorrect claims in information;
3. misleading or unclear representation of information; and
4. bias in information so that positive aspects of performance are given focus in reporting with negative aspects of performance omitted.

Accumulation of identified misstatements

325.21 Misstatements that are not clearly trivial are accumulated in the audit file in a manner that allows for referral to the auditee and evaluation by the audit team.

325.22 There are two main ways that uncorrected misstatements will be assessed when determining the cumulative effect of uncorrected misstatements on the audit conclusion.

1. The engagement team will assess the impact of all identified uncorrected misstatements on individual performance measures. Where there is more than one misstatement for a particular performance measure the auditor may conclude that any one misstatement is not material but the cumulative effect of the misstatements means that users are misled.
2. Following the assessment of accumulated misstatements at the individual performance measure level, the engagement team then considers the uncorrected misstatements cumulatively against key activities/programs, then outcomes, then the entity itself.

325.23 As each auditee presents its information differently (for example by activities, programs etc.), the approach to accumulating misstatements at levels higher than individual misstatements may differ for each entity. The principle however is consistent that the starting point is determining if there is a material misstatement at the performance measure level then considering the impact of that misstatement at each higher level presented by the auditee in the performance statements until the overall impact on the fair presentation of performance at the whole statement level is considered.

325.24 To help in evaluating the effect of misstatements, misstatements may be categorised as follows:

1. factual misstatements: the amount of the misstatement is known;
2. judgmental misstatements: differences arising from the judgements of management about accounting estimates that the auditor considers unreasonable, or the selection or application of accounting policies that the auditor considers unreasonable;
3. projected misstatements: the auditor’s best estimate of misstatements in populations based on projections of misstatements in sampling. Note that as projected misstatements are only an estimate of misstatements, management should not adjust the performance statements without further investigation and determining the actual misstatement; and
4. misstatements that have attributes that make them material by nature.

325.25 After considering misstatements individually, the auditor will need to consider the remaining uncorrected misstatements in combination with others. The practitioner is unlikely to be able to accumulate misstatements and consider them together in the same way as a financial statements audit for a performance statement comprising diverse and varied activities and performance measures. However, the auditor will still need to consider whether there are misstatements that relate to the performance statements as a whole.

325.26 The auditor is required to accumulate all the uncorrected misstatements identified during the engagement other than those that are clearly trivial. This should be documented on a schedule so that the uncorrected misstatements can be considered collectively. While it will not be possible to add up qualitative misstatements or those relating to different elements, it may be possible to group the misstatements according to the elements in the performance statements.

325.27 The auditor should endeavour to group related uncorrected misstatements at the lowest practicable level, for example at the program or key activity. By grouping at this level, misstatements can be collectively assessed against the program or key activity to form a view of the presentation of the overall outcome for that level. The outcomes for all programs or key activities can then be assessed collectively.

325.28 Misstatements of subject matter information in narrative form may need to be concisely described on the schedule for accumulation purposes.

Consideration of identified misstatements as the audit progresses

325.29 A misstatement may not be an isolated occurrence. A misstatement arising from a breakdown in internal control may indicate that other misstatements also exist. Similarly, an inappropriate assumption identified in one measure may suggest that misstatements exist in other measures using the same assumption.

325.30 Where frequent and/or material misstatements have been identified during the engagement, the auditor should consider if the assessments made to date, about whether misstatements are clearly trivial, should be revised if initial expectations about the level of misstatements in the subject matter were too low. If we identify an increased number of misstatements that have been deemed clearly trivial, we may need to revise these assessments until we are satisfied that misstatements treated as clearly trivial, either individually or aggregated with other adjustments, are definitely trivial to the performance statements.

325.31 During the conduct of the audit and as more misstatements are identified the risk increases that the accumulated misstatements taken together would have a significant impact on the decisions of users of the performance statements, even if no single performance measure is misstated by more than the materiality thresholds set during the planning of the audit. In these situations, the audit team needs to consider whether the audit strategy or audit plan need to be reconsidered to reduce this risk. The Engagement Executive may consider explaining to management (and, if considered appropriate, TCWG) the implications for the audit when misstatements are not corrected and strongly encourage them to correct all misstatements that are not clearly trivial. Weaknesses in these areas may also present an audit finding that should be reported in accordance with Chapter 333 of this manual.

Communication and correction of misstatements

325.32 The audit team should promptly advise all accumulated misstatements and uncorrected misstatements related to prior periods to the appropriate level of management, and request that they be corrected. The appropriate level of management is the one that has responsibility and authority to evaluate the misstatements and to take the necessary action. Should management not correct a misstatement, the auditor shall obtain an understanding of management’s reasons and use that understanding when evaluating the unadjusted misstatements for the impact on the performance statements as a whole. If the effect of the unadjusted differences is material, a modified audit report will need to be considered. Uncorrected misstatements that do not contribute to a material misstatement may be advised in aggregate in appropriate cases.

325.33 While there is no requirement for comparative information or for performance measurements to be used year-on-year, where the ANAO has audited the previous year’s performance statements, the audit team needs to be alert to the possibility that the correction of a misstatement identified in that audit by adjustment of the current year’s figures might give rise to a material misstatement in the current year’s figures (i.e. the adjustment causes the current year figures to be materially different to what they would have been had there been no error in the current and prior periods). For example, if the performance measure related to annual production of widgets, a misstatement last year that overstated widget production by 10,000 may have the effect of understating the current year measure by the same amount. In this situation, retrospective restatement and/or suitable disclosure may be necessary if the effect on the current year is material.

Evaluating the effect of uncorrected misstatements

325.34 Before the evaluation of the effect of uncorrected misstatements, the audit team shall re-examine materiality determined during the planning based on the actual performance measure results to confirm whether it remains appropriate.

325.35 The circumstances related to some misstatements may cause the auditor to evaluate them as material, individually or when considered together with other misstatements accumulated during the audit, even if they are lower than the quantitative materiality threshold set. For example, the extent to which a misstatement relates to a fraudulent event or transaction.

325.36 When reviewing individual misstatements, the auditor should assess quantitative and qualitative materiality by considering, for example, whether the item:

1. is capable of precise measurement or whether it arises from an estimate and, if so, the degree of imprecision inherent in the estimate;
2. involves the deliberate misstatement of performance or an indication / trend of only reporting positive performance outcomes;
3. masks a change in overall trends in entity performance;
4. concerns a segment or other portion of the entity’s business that has been identified as playing a significant role in the entity’s operations or results;
5. affects material compliance with legal or regulatory requirements;
6. (although often not relevant in the context of Commonwealth entities) has the effect of increasing management remuneration, for example, to satisfy the requirements for the award of bonuses or other incentives;
7. involves concealment of an unlawful transaction;
8. affects a large number of stakeholders or particular stakeholder groups of particular importance to the audited entity;
9. demonstrates inconsistency with previously communicated information to the Parliament or the public in general;
   ; and
10. may affect the decisions of users in response to certain types of disclosures.

Written representations

325.37 The auditor is required to request a written representation from management and, where appropriate, TCWG about uncorrected accumulated misstatements (Refer to Chapter 324 Representation letters).

Minimum documentation - evaluating misstatements

325.38 The following information should be documented:

1. all misstatements accumulated during the audit and whether they have been corrected; and
2. the auditor’s conclusion as to whether uncorrected misstatements are material, individually or in aggregate, and the basis for that conclusion.

Forming the audit conclusion

325.39 In an attestation audit, the audit conclusion is formed over the subject matter information of the audit, which for performance statements audits are the performance statements themselves. A modified audit conclusion is required when the performance statements are not free of material misstatement or where the auditor is unable to conclude whether performance statements are free of material misstatements. The term ‘modified conclusion’ covers all audit conclusions except for unqualified.

325.40 Consequently, the identification of possible or actual non-compliance with the broader performance statements framework or the entity’s performance statements preparation process is not automatically a cause for a modified auditor’s report. Instead, in forming the audit conclusion the auditor must assess the impact of any such matter on the performance statements as a whole and through the frame of material misstatements.

325.41 Misstatements are differences between the performance statements and the auditor’s assessment of the appropriate evaluation of the events or transactions being measured in accordance with the performance statements preparation framework specified in the audit criteria. Misstatements, including omissions, are considered to be material if they, individually or in the aggregate, could reasonably be expected to influence relevant decisions of intended users taken on the basis of the subject matter information.

325.42 As such, in order to form the basis for a modified audit conclusion any issue or combination of issues must:

1. arise from a material error, omission or falsification (or a potential error, omission or falsification for which audit evidence cannot be obtained) of the performance statements themselves;
2. represent material non-compliance with the performance reporting requirements included in the audit criteria; and
3. in the auditor’s judgement, the outcome of (a) and (b) above, is judged by the auditor to reasonably be expected to influence the relevant decisions of intended users of the performance statements.

325.43 Under ASAE 3000 there are four possible conclusions that the auditor can come to:

1. unqualified — where the auditor concludes that the performance statements comply in all material respects with the audit criteria;
2. qualified — where the auditor concludes that the performance statements comply with the criteria except for a certain number of material but not pervasive misstatements, or where the auditor is not able to obtain sufficient appropriate evidence over a matter that poses a risk of giving rise to a material but not pervasive misstatement (also known as a scope limitation);
3. adverse — where the auditor concludes that the performance statements do not comply with the criteria because of the existence of material and pervasive misstatements; or
4. disclaimer of conclusion — where the auditor is not able to obtain sufficient appropriate audit evidence and the possible impact of this scope limitation is both material and pervasive to the performance statements as a whole.

325.44 To form an audit conclusion, the auditor first must conclude on whether sufficient appropriate audit evidence has been obtained, and where there are deficiencies in the evidence, seek to obtain further evidence. Having considered all the evidence that the auditor has obtained, including evidence that contradicts the information and judgements made by the preparer of the performance statements, if the auditor assesses that sufficient audit evidence has been obtained, a conclusion can be drawn and reported in the auditor’s report.

325.45 Where there is sufficient appropriate audit evidence and no unadjusted misstatements in the performance statements, then an unqualified conclusion can be drawn.

325.46 Where there is sufficient appropriate audit evidence and some unadjusted misstatement, the auditor forms an unqualified, qualified or adverse conclusion depending upon the materiality and pervasiveness of the misstatements.

325.47 Wherever a conclusion other than unqualified is formed, the auditor’s report is required by ASAE 3000 paragraph 69 to include a Basis for Qualified/Adverse/Disclaimer of Conclusion paragraph that describes the reasons for modified conclusion.

325.48 The assessment of the materiality of unadjusted misstatements, individually and collectively, is described in Chapter 325 Evaluating misstatements and forming the audit conclusion.

325.49 Uncorrected misstatements will be pervasive where they also feature one or more of the following characteristics:

1. they are not confined to specific aspects of the performance statements (e.g. there are material errors in a substantial number of performance measures affecting a number of key activities being measured);
2. if they are confined, they relate to a substantial proportion of the performance statements (e.g. there is a very significant unadjusted misstatement affecting a very important performance measure relating to a major activity of the entity); or
3. in relation to disclosures, they are fundamental to the users’ understanding of the performance statements (e.g. the performance statements do not accurately describe the activities or any limitations in the accuracy of the performance measure).

325.50 In circumstances where the auditor is not able to gather sufficient appropriate audit evidence (after considering any practicable means to gather the necessary evidence), the opinion is modified in respect to the possible effects of that scope limitation.

325.51 In circumstances where the auditor is not able to gather sufficient appropriate audit evidence (after considering any practicable means to gather the necessary evidence), the opinion is modified in respect to the possible effects of that scope limitation.

325.52 In all circumstances where a conclusion other than unqualified is being considered, consultation with QTAC is required. In accordance with ANAO Audit Manual — Shared Content Chapter 8, a meeting of QTAC should be convened to consider the Engagement Executive’s basis for assessing that a modified conclusion may be required and form a recommendation to the Auditor-General about an appropriate ANAO response to the circumstances, including the appropriate conclusion to be drawn. In accordance with ANAO Audit Manual — Shared Content Chapter 8, the Auditor-General is the final decision maker on all matters referred to QTAC.

Relationship between identified misstatements and the audit conclusion

325.53 Any combination of misstatements that is collectively material to the overall performance statements would give rise to at least a qualified audit conclusion. In making the assessment of whether misstatements are collectively material and, there are two main frames for consideration, which may also affect the description of the modification in the auditor’s report:

1. by performance measure; and
2. by criteria.

325.54 Some audit criteria, such as compliance with the PGPA legislative framework, are unlikely to be specifically related to particular activities or performance measures. It will therefore only be meaningful to judge their overall impact based upon the collective impact of any misstatements or issues on the performance statements as a whole. For example, failure of the Accountable Authority to state that in their opinion the performance statements accurately present the performance of the entity during the period cannot be isolated to particular performance measures and, given how fundamental this assertion is to the understanding of the users and to the ANAO in obtaining sufficient appropriate audit evidence, would likely be regarded as pervasive.

325.55 Other criteria, such as the accurate presentation of the results of the performance measures, are likely to be specifically related to narrower aspects of the performance statements. Unless such issues are the result of systematic failures in the preparation of the performance statements, the auditor could likely form a view and express a Basis for Conclusion that the particular performance measure was misstated.

325.56 To determine what the overall impact is on the audit conclusion, when assessing at the activity/performance measure level, the application of materiality should consider the information needs of the users, including:

1. how significant is the misstatement to the purpose (is it particularly large or important relative to the base measure)?
2. are there other misstatements also impacting upon the program (is the collective misstatement relatively large or important relative to the program or key activity)?
3. how significant is the performance measure/activity to the related program or key activities?
4. is the misstatement material in nature, including:
   
   1. does it change whether or not the entity is able to report that the performance measure’s target has been achieved?
   2. does it impact upon a previously reported position or the change in an overall trend or expectation of users?
   3. does it relate to non-compliance with key legislation or relate to criminal or fraudulent behaviour?
   4. was the misstatement deliberately made by management or does management refuse to adjust the error for reasons other than immateriality?

325.57 For example, a very large misstatement of a performance measure (for example, reporting that 10,000 widgets were produced in 20XX where 500 of those widgets were actually produced in 20XY) may still not be material to the overall audit conclusion if that error was isolated and did not relate to a major activity of the entity, given that the assumption of a 5% threshold for this measure may have been rebutted. On the other hand, a relatively small error of 100 widgets out of 10,000 would likely be material if there was evidence that management had deliberately misstated the result to achieve a target.

325.58 To determine what the overall impact is on the audit conclusion, when assessing at the performance measure level, the application of materiality should consider:

1. how significant is the deviation from the performance measure relative to the performance measure itself (where the auditee has reported a performance result that is quantitatively in error but has fallen far short of the performance target and reported as such, we may assess in qualitative terms that a misstatement is less material)?
2. how significant is the performance measure to the overall audit objective (can the performance statements meet the overall objective despite not meeting this particular performance measure)?
3. are there deviations from other performance measures also impacting the overall audit objective (how does this performance measure accumulate with others to meet the overall audit objective)?

325.59 Identified deficiencies against one performance measure do not necessarily mean that the performance statements as a whole are materially misstated, the auditor’s report may still conclude that the performance statements are prepared in all material respects in accordance with the audit criteria except for the specific matter. For example, where one or more performance measure has not been met, and those deviations have been identified, accumulated, and assessed material but isolated and not considered pervasive, an ‘and except for’ qualification may suffice.

Chapters 331 to 334

331. Communicating audit findings

Background

331.1 The ANAO Auditing Standards define management and TCWG in ASA 260 Communication With Those Charged with Governance. In addition, legislation or other authority may require or permit audit findings to be reported to a responsible Minister and to Parliament.

331.2 The ANAO Auditing Standards require particular audit findings to be communicated to management and TCWG, respectively.

331.3 As required by the ANAO Auditing Standards, audit findings to be communicated to management include:

1. deficiencies in internal control, including those to prevent or detect fraud;
2. an actual or possible fraud;
3. non-compliance with laws and regulations; and
4. misstatements that are not clearly trivial for correction and material misstatements indicative of a deficiency in internal control.

331.4 As required by the ANAO Auditing Standards, audit findings to be communicated to TCWG include:

1. most of the audit findings communicated to management, including all significant deficiencies in internal control in writing;
2. fraud involving management or certain others;
3. intentional and material non-compliance involving management;
4. audit matters (findings per this policy) of governance interest; and
5. all uncorrected misstatements (see Chapter 325 Evaluating misstatements and forming the audit conclusion for further policy and guidance on communication of misstatements to TCWG).

331.5 Audit findings are categorised according to the criteria below.

Guidance

Appropriate level of management

331.12 The determination of the appropriate level of management requires consideration of the management structure of the entity and is a matter of professional judgement. Ordinarily, it would include the senior executive(s) (or equivalent) delegated with overall responsibility for preparation of the performance statements and can include those who have responsibilities for corporate functions and IT systems.

Sensitive information

331.13 Situations where information should not be included in public reports are detailed in subsection 37(2) of the A-G Act. Reasons that information is sensitive are:

1. it would prejudice the security, defence or international relations of the Commonwealth;
2. it would involve the disclosure of deliberations of decisions of the Cabinet or of a Committee of the Cabinet;
3. it would prejudice relations between the Commonwealth and a State;
4. it would divulge any information or matter that was communicated in confidence by the Commonwealth to a State, or by a State to the Commonwealth;
5. it would unfairly prejudice the commercial interests of any body or person; or
6. any other reason that could form the basis for a claim by the Crown in right of the Commonwealth in a judicial proceeding that the information should not be disclosed

Individual reports to ministers – interim and year end

331.14 Individual reports to Ministers need to include all information planned to be tabled in the relevant parliamentary report, being the:

1. Performance Statements Year End Report.

Portfolio reports to ministers

331.15 The purpose of the year end portfolio report is to provide the Minister with a succinct report on the results of and major issues arising from performance statements audits of entities within the Minister’s portfolio, in addition to the audit findings. The report lists reporting entities within the Minister’s portfolio, indicating whether the audit reports are modified and whether significant issues arose during the audit.

331.16 Portfolio wide issues should be highlighted within the report, where possible.

Reference to third parties

331.17 Where an audit finding includes a description of the role of a third party, such as an accounting firm or IT services provider, direct reference to the third party should be avoided where possible. In circumstances where this may not be possible without compromising the context and clarity of the finding this should be discussed with the PSASG GED.

332. Distribution and timing of letters and written reports

Background

332.1 Letters and written reports are normally provided (under legislation, ASAE 3000 and ANAO policy) to:

1. Management;
2. TCWG, including Audit Committees;
3. Ministers; and
4. Parliament.

332.2 Generally, the basis and nature of letters to management and TCWG are sourced in ASAE 3000 and will be required for all performance statement engagements. Reports to Ministers and Parliament are sourced in legislation and are required for performance statements audits under the Commonwealth’s performance reporting framework. Where the performance statements audit is conducted under Section 40 of the PGPA Act the ANAO is required to report the outcome of the audit (the auditor’s report) to the requesting Minister, and the Minister is required to table the ANAO’s report and the related performance statements in the Parliament.

332.3 It is important to note that there are situations where legislation or the auditing standards require matters to be reported promptly. Formal reports required in these situations are in addition to the regular reports required by this policy.

332.4 Auditors may also engage in correspondence with entities to resolve particular matters in the course of the audit, for example, about the application of performance measures.

Guidance

Reports to parliament

332.12 Under section 40 of the PGPA Act, providing the auditor’s report on an entity’s performance statements audit to the Parliament is the obligation of the requesting Minister. The ANAO would not ordinarily provide the auditor’s report to the Parliament in addition to this process but may exercise its power under section 25 of the A-G Act to report to the Parliament about observations and findings about the broader application of the performance reporting framework by the Commonwealth public sector.

332.13 Reports to Parliament are issued under section 25 of the A-G Act. This section allows the Auditor-General to cause a report to be tabled in either House of Parliament on any matter. The A-G Act requires that a copy of such a report be provided to the Prime Minister, the Minister for Finance and to any other Minister who, in the Auditor-General’s opinion, has a special interest in the report

333. Closing letter

Background

333.1 Where an The Closing Letter is prepared to communicate matters that are directly relevant to the performance statements or that the auditing standards require be communicated before the performance statements are signed.

333.2 The distribution and timing of the Closing Letter are dealt with in Chapter 332 Timing and distribution of written reports.

333.3 The Closing Letter may also serve to replace other letters to management TCWG that detail the audit’s findings. Matters to be communicated as audit findings are identified in the Communicating audit findings policy (Chapter 331 of this manual).

Guidance

333.5 The Closing Letter is prepared on the basis that the content of the management representation letter and performance statements being signed are as anticipated.

333.6 The Closing Letter refers to other matters which are to be included in the auditor’s report. These matters can include a report required on legal or other regulatory requirements or a matter that is relevant to the users’ understanding of the audit, the auditor’s responsibilities or the auditor’s report²⁶.

333.7 The Closing Letter may also include the following elements:

1. include a schedule of audit adjustments made;
2. discuss the final audit fee;
3. acknowledgement of support received from the auditee; and
4. details of the planned beginning of the audit of the performance statements for next financial year.

334. ANAO auditor’s reports on performance statements

Background

334.1 Where an audit is undertaken under section 40 of the PGPA Act the ANAO is required to report the outcome of the audit (the auditor’s report) to the requesting Minister, and the Minister is required to table the ANAO’s report and the related performance statements in Parliament.

334.2 The form and content of ANAO auditor’s reports on performance statements are determined by the requirements of:

1. the legislation or arrangement under which the audit is conducted; and
2. the relevant auditing standards.

334.3 PSG prepares proforma ANAO auditor’s reports for Commonwealth entities.

Guidance

Addressee

334.8 ANAO auditor’s reports on the performance statements of Commonwealth entities are addressed to the requesting Minister under section 40 of the PGPA Act, which will either be the Finance Minister or the Minister who is responsible for the entity.

334.9 For Parliamentary Departments, the relevant presiding officer(s) are regarded as the responsible Minister under the PGPA Act.

334.10 Ministers of State are listed in the official Ministry List by portfolio (Parliamentary Secretaries and Ministers assisting another Minister are effectively regarded as Assistant Ministers). Where a portfolio has more than one minister, all those ministers administer the department with the effect that all ministers are formally able to administer the legislation associated with the department. In practice, each minister in a portfolio will have discrete areas of policy and legislative responsibility²⁷. The legislation associated with a department is prescribed in the Administrative Arrangements Orders (AAOs) made from time to time by the Governor-General.

334.11 The Ministry List and the AAO are updated as required and published on the website of the Department of the Prime Minister and Cabinet at the Current Ministry list.

Independence statement within the ANAO auditor’s report

334.12 ANAO policy is to make an independence statement in each ANAO auditor’s report issued on financial statements. For performance statement audits conducted under the Australian Auditing Standards, ASAE 3000 paragraph 69(j) requires the auditor’s report to include a statement on independence.

334.13 Where there is a possibility that the applicable independence requirements cannot be met because of an unavoidable conflict between those requirements and the Auditor-General’s obligation to audit and report, an explanation of the conflict for inclusion in the ANAO auditor’s report needs to be considered. Such a situation is expected to be rare in practice.²⁸

Referral to QTAC

334.14 ANAO policy in respect of QTAC outlines when a proposed ANAO auditor’s report is to be referred to QTAC. Refer to Chapter 8 of the Shared Volume of this manual.