Report on a Review of the Financial Audits Completed in the 2019–20 Fiscal Year

Report on a Review of the Financial Audits Completed in the 2019–20 Fiscal Year

Introduction

The Practice Review and Internal Audit team helps the Office of the Auditor General of Canada (OAG) to meet its obligation under the Chartered Professional Accountants of Canada’s Canadian Standard on Quality Control 1. The team does this by conducting inspection activities to determine the extent to which engagement leaders are complying with Canadian Auditing Standards, OAG policies, and applicable laws and regulations when conducting their audits. The team also ensures that independent auditor’s reports are supported and appropriate.

Objective

The practice review’s objective is to provide the Auditor General of Canada with assurance that

Scope

This report summarizes the reportable observations related to the practice reviews of 6 financial audits completed in the 2019–20 fiscal year.

Rating

Each audit file reviewed is rated as one of the following:

After completing each review, we also conclude on whether the independent audit opinion is supported and appropriate.

Results of the Reviews

Exhibit 1 summarizes the reportable observations related to the practice reviews.

Exhibit 1—Summary of reportable observations

Summary of reportable observations

A. Engagement management
  • Two individuals were consulted on a significant accounting issue and did not complete independence confirmation forms. (1 audit file)
  • The information technology (IT) audit strategy was not fully documented on a timely basis. In addition, the sign-offs for the IT Audit and Controls Assurance Planning Memorandum template and the TeamMate audit step were not obtained from the IT Audit and Controls Assurance teams. These sign-offs would have indicated that the teams had been consulted during the planning phase and had agreed to the resulting audit strategy. (1 audit file)

B. Planning phase

None.

C. Examination phase

In 4 audit files, we found issues with the security of sensitive information:

  • Some working papers were missing the appropriate security label: “Protected A” or “Protected B.” (2 audit files)
  • The audit team added the security label “Protected A” to documents provided by the entity. Assessing whether a document should be categorized as protected is the responsibility of the document owner. Audit staff should not make this assessment in place of the entity. However, if audit team members believe that a specific document was not properly categorized, they may decide to discuss the document’s security classification with the entity. (1 audit file)
  • The audit team hired experts from an accounting firm to obtain assurance in a specialized field. The firm prepared a summary memo on the conclusions of its experts’ work along with supporting working papers. The documents were given to the audit team and recorded in the TeamMate file. The documents are considered OAG documents and are subject to the same security rules for sensitive information as other OAG documents. However, the audit team did not evaluate the documents to determine the appropriate security label. After discussion, it was determined that these documents should have been categorized as “Protected A.” (1 audit file)

D. Reporting phase

The procedure pertaining to subsequent events after the date of the independent auditor’s report was signed off in TeamMate on the date of the report. (1 audit file)

E. Engagement quality review

None.

F. Efficiencies

An analytical review of some financial statement line items that had a lead sheet was done to explain variances of up to 20% of the planned materiality level. This analysis was not part of the list of procedures in the lead sheet template and was not required in accordance with the audit strategy. We questioned the merit of performing such audit work. (1 audit file)

G. Other practice improvements

None.

H. Summary of good practice observed

None.

Recommendation to the Financial Audit Practice

Engagement leaders should ensure that audit staff have a good understanding of the Treasury Board’s Directive on Security Management and are reminded that any document stored in TeamMate be assessed under that directive and labelled according to the proper security level.

Management’s response

Agreed. We will remind financial auditors of the Treasury Board security policy and directive as part of the next 2020 senior auditor training. We will also work with the IM and Security teams on two fronts. First, to ensure financial auditors are prioritized for the rollout of the new focused course on security classification and labelling expected later in 2020. Second, the IM and Security team will develop and publish a FAQ document outlining scenarios specific to audit operations. Once available, we will work with Audit Services to include in the audit kick-off meeting template a link to this document and the new training material as part of a future methodology update.

Conclusion

Of the 6 financial audit files reviewed, 1 was rated as compliant in all significant respects with Canadian Auditing Standards, OAG policies, and applicable laws and regulations, and 5 were rated as compliant while improvements needed.

All related independent auditor’s reports were supported and appropriate.