Planning in Performance Audits: Defining Audit Objectives

A guide to defining precise, answerable, and standards-aligned audit objectives in performance audits.

Performance audits succeed when objectives are precise, answerable, and grounded in standards. These key insights outline the core considerations that shape planning.

This lesson is a preview from Graduate School USA's Conducting Performance Audits Course.

Key tasks in planning are to define the audit’s objectives and select the scope of work and methodology to achieve those objectives. The first fieldwork standard for performance auditing is:

“Auditors must adequately plan the work necessary to address the audit objectives. Auditors must document the audit plan.” (par 8.03)

Basic Concepts Applicable in Planning

The concepts of reasonable assurance, significance, and audit risk form a framework for applying applicable standards in conducting performance audits. In planning the audit, auditors should assess significance and audit risk and apply these assessments in defining the audit objectives and the scope and methodology to address those objectives.

Reasonable Assurance: Performance audits that comply with GAGAS provide reasonable assurance that evidence is sufficient and appropriate to support the auditor’s findings and conclusions.

Significance: Significance is defined as the relative importance of a matter within the context in which it is being considered, including quantitative and qualitative factors. The concept of significance assists auditors throughout a performance audit, including when deciding the type and extent of audit work to perform, when evaluating results of audit work, and when developing the report and related findings and conclusions.

Audit Risk: Audit risk is the possibility that the auditors’ findings, conclusions, recommendations, or assurance may be improper or incomplete, as a result of factors such as evidence that is not sufficient and/or appropriate, an inadequate audit process, or intentional omissions or misleading information due to misrepresentation or fraud. The assessment of risk involves both quantitative and qualitative considerations.

Applying Audit Risk in Planning

In assessing risk, the government audit standards state that auditors should consider, within the context of the audit objectives:

  • compliance with authoritative requirements,
  • risk of fraud and abuse, and
  • internal control.

Consider Compliance

“Auditors should identify any provisions of laws, regulations, contracts, and grant agreements that are significant within the context of the audit objectives and assess the risk that noncompliance with provisions of laws, regulations, contracts, and grant agreements could occur. Based on that risk assessment, the auditors should design and perform procedures to obtain reasonable assurance of detecting instances of noncompliance with provisions of laws, regulations, contracts, and grant agreements that are significant within the context of the audit objectives.” (par 8.68)

Normally, when compliance is significant to the audit (e.g., a grant audit), the need to assess compliance will be addressed as an objective or subobjective of the audit.

Consider Fraud

Fraud involves an intention to deceive, resulting in benefit to the perpetrator and harm to the government. GAGAS provides:

In planning the audit, auditors should assess risks of fraud occurring that is significant within the context of the audit objectives. Auditors should gather and assess information to identify risks of fraud that are significant within the scope of the audit objectives or could affect findings and conclusions.

When auditors identify factors or risks related to fraud, they should design procedures to provide reasonable assurance of detecting such fraud.

If fraud is indicated, auditors should extend audit steps and procedures to:

  • Determine whether fraud has likely occurred, and
  • If so, determine its effect on audit findings.

However, auditors need to be careful not to disclose information that may cause the perpetrator to suspect the auditor is uncovering the fraud and, therefore, is given the opportunity to destroy or alter records or otherwise cover it up.

Each audit office will likely have internal policies and procedures for how auditors are to handle situations of potential fraud and when such allegations or suspicions should be turned over to investigators.

Possible Fraud Indicators

The following list depicts indicators of possible fraud. The list is not all-inclusive, nor are the situations absolute indications of fraud. Professional judgment must be applied to each individual situation since what could be an indication of fraud in a specific instance may not be in other instances.

  • Numerous instances of unsupported costs that cannot be reasonably explained.
  • Overrun claims that are not adequately explained.
  • Indications of defective material used in federal grant projects.
  • Inventory shortages.
  • Appearance of false claims or false statements.
  • Prequalification of prospective contractors for bid acceptance based on unverified contractor-submitted data.
  • Prime contractors subcontracting substantial amounts of work without the apparent knowledge or approval of the contracting officer.
  • Use of minority fronts.
  • Contract performance not adequately monitored or documented.
  • Issuance of numerous work orders or change orders after contract award, which substantially increase costs.
  • Restricted or inadequate competition on contract awards.
  • Appearance of bid rigging (identical bid items, many line items very close in amount, unbalanced bids, etc.).
  • Single bids substantially exceeding engineering estimates.
  • Prime contractors requiring subcontractors to utilize the prime’s labor and/or equipment.
  • Conflicts-of-interest.
  • Duplicate or altered documents used as support for payment.
  • Same person and office responsible for determination of requirements and certification of services or material received.
  • Continuous overtime to accomplish mission.
  • Indications that the program objectives or goals are not being achieved.
  • Unallowable costs due to erroneous cost accounting procedures.
  • Indications that significant costs were mischarged (e.g., time and attendance records altered or improperly completed).

Consider Internal Control

“Auditors should determine and document whether internal control is significant to the audit objectives.” (par 8.39)

“If it is determined that internal control is significant to the audit objectives, auditors should obtain an understanding of such internal control.” (par 8.40)

In practice, internal control will generally be significant within the context of an audit’s objectives.

Depending on the audit approach dictated by the audit objectives, internal control may be assessed as the condition finding element or the cause finding element.

Significance of Controls Depends on Audit Approach

  1. Audit Approach: Examine Results/Accomplishments: Controls are examined for the purpose of identifying the cause of good and poor performance.
  2. Audit Approach: Examine Controls: Controls are examined as the condition finding element.
  3. Audit Approach: Evaluate Impact: Controls are examined to determine if the intervention has been put in place.
  4. Audit Approach: Assess Compliance: Controls are examined as a possible cause of noncompliance.
  5. Audit Approach: Prevent and Detect Fraud: Controls may be examined as the condition or cause, depending on the circumstance.

Relationship of Controls to Processes

All government programs exist to achieve some purpose.

A program’s purpose is achieved by the production and delivery of outputs to customers (usually a combination of outputs). Those output goods and services are expected to satisfy customer needs (general intent) and achieve the program’s purpose or mission (specific intent).

A program’s outputs are produced and delivered through processes.

The resources needed to produce and deliver program outputs are acquired through the budget process.

A process is composed of:

  • defined resources
  • methods/work steps/tasks
  • controls
  • a designated output or outputs
  • one or more target customers or clients

Methods consist of policies and procedures and actual practices. In processes, people, using methods, equipment, and technology, acquire material resources, transform those resources into outputs, and deliver them to customers.

Many processes are likely to have “work-in-process” where work is handed off from one department to another and/or from one process to another.

Program operations are the strategies, processes, and activities management uses to convert inputs into outputs. (GAGAS, par 8.38e)

Types of Controls

There are two general types of controls:

  • controls that exist within a process (e.g., supervisory approval of staff Time and Attendance reports)
  • stand-alone controls (e.g., security fences, passwords)

Controls are often described by purpose as preventative, detective, and corrective.

GAO’s Internal Control Standards: Components and Principles

The Green Book organizes internal control into five components and 17 principles. Each component must function together for an effective internal control system.

Control Environment

  • Commitment to integrity and ethical values
  • Oversight of the internal control system
  • Organizational structure and delegation
  • Recruitment and retention of competent individuals
  • Accountability for internal control responsibilities

Risk Assessment

  • Define objectives clearly
  • Identify and analyze risks
  • Consider the potential for fraud
  • Assess the impact of significant changes

Control Activities

  • Design control activities
  • Design information systems and related controls
  • Implement control activities through policy

Information and Communication

  • Use quality information
  • Communicate internally
  • Communicate externally

Monitoring

  • Monitor the internal control system
  • Remediate deficiencies

Audit planning establishes the foundation for a high-quality performance audit. By clearly defining objectives, assessing significance and risk, and considering compliance, fraud, and internal control, auditors can ensure their work is properly directed and capable of producing meaningful, well-supported findings. Strong planning practices not only guide the audit team but also increase the credibility and usefulness of the resulting report.

Kim Peppers

Kimberly Peppers spent 37 years as a federal employee culminating in leadership roles as regional inspector general and audit director in multiple federal agencies; building a career in federal audit, budget and program analysts’ positions. She has subsequently worked in the federal consulting environment. Kim considers among her notable achievements obtaining her doctorate, in business administration while concurrently working in audit and investigations stationed in the middle east.

More articles by Kim Peppers

How to Learn Auditing

Build practical, career-focused federal auditing skills through hands-on training designed for beginners and professionals alike. Learn fundamental tools and workflows that prepare you for real-world projects or industry certification.