Audit process - risk assessment
What do auditors do? Why do they do it?
Agree terms of engagement Terms of engagement are communicated & agreed to ensure a clear understanding of responsibilities of the parties, the objectives of the audit, access to information and the reports to be provided.
Plan the audit An understanding of the auditee is obtained for risk assessment purposes & an audit plan is prepared.
Perform risk assessment procedures A risk assessment is performed to determine the number and type of procedures to perform.
Audit process - risk response
What do auditors do? Why do they do it?
Perform procedures in terms of risk assessment Procedures are performed to obtain evidence that the financial statements & annual performance report do not contain material misstatements and that key legislation has been complied with.
Audit process - reporting
What do auditors do? Why do they do it?
Prepare management report (not published) The report is only provided to the management of the auditee and the executive authority at the end of the audit. It details the findings from procedures performed, identifies the root causes of these findings and makes recommendations for improvement.
Prepare audit report (not published) The report is published in the auditees’s annual report. It informs those responsible for oversight, the public and others of material misstatements in the financial statements, material findings on the usefulness and reliability of the performance report, material non-compliance with key legislation in specific focus areas, and the deficiencies in internal control that were identified during the audit.
Audit process - what is an audit in the public sector?

The public sector auditor assesses the stewardship of public funds, implementation of government policies and compliance with key legislation in objective manner.

The scope of the annual audit performed for each auditee is prescribed in the Public Audit Act and the general notice issued in terms thereof. It includes the following:

  • Providing assurance that the financial statements are free from misstatements that will affect the users of the financial statements
  • Reporting on the usefulness and reliability of the information in the annual performance report
  • Reporting on material non-compliance with key legislation
  • Identifying the key internal control deficiencies that should be addressed to achieve a clean audit

Performance audits may also be performed to determine whether resources have been procured economically and are used effectively and efficiently.

Audit process - what does an audit not do?
Due to the test nature and other inherent limitations of an audit, together with the inherent limitations of internal control, there is an unavoidable risk that some, even material, misstatements in reported information may not be detected, and the completeness and the accuracy of the information reported are not guaranteed. Due to the focus on specific areas in key legislation, the audit does not provide assurance that all applicable legislation has been complied with. Although possible fraud may be identified during the audit, this is not the main purpose of the audit. The audit does not provide assurance that service delivery has been achieved, only that the annual performance report is useful and reliable.
Audit process - what is a clean audit?

A clean audit relates to three aspects:

  • The financial statements are free from material misstatements
  • There are no material findings on the annual performance report
  • There are no material findings on non-compliance with key legislation
Audit process - how to achieve a clean audit

Matters reported by external and internal auditors should receive timeous management attention, internal controls should address the following key areas:


  • Establish a culture of honesty, ethical business practices and good governance
  • Exercise oversight responsibility
  • Ensure effective human resource practices
  • Implement appropriate policies and procedures
  • Approve and monitor the implementation of action plans to address internal control deficiencies
  • Approve an appropriate information technology governance framework

Financial and performance management

  • Ensure proper record keeping of all transactions
  • Maintain effective controls over daily and monthly processing and reconciling of transactions
  • Produce regular, accurate and complete financial and performance (service delivery) reports
  • Review and monitor compliance with applicable legislation
  • Design and implement formal controls to mitigate information technology risks


  • Ensure that risks are periodically identified, assessed and effectively mitigated
  • Maintain an adequately resourced and functioning internal audit unit
  • Maintain an audit committee that performs its legislated duties and promote accountability and service delivery