Annual Audit Manual

To access the Portable Document Format (PDF) version you must have a PDF reader installed. If you do not already have such a reader, there are numerous PDF readers available for free download or for purchase on the Internet.

PDF version

Notice to the Reader

Annual Audit Manual (Revision June 2010)

The Auditing and Assurance Standards Board (AASB) has adopted International Standards on Auditing (ISA) as Canadian generally accepted auditing standards (GAAS). These newly adopted standards are called Canadian Auditing Standards (CASs) and apply to the audit of financial statements and other financial information for periods ended on or after 14 December 2010. The Annual Audit Manual (Revision June 2010) has been released to address these changes to Canadian GAAS. The attached Appendix of Practice Statements contains all the related revisions to the Annual Audit Manual. The references below are critical to the readers understanding of the scope and nature of these revisions.

Refer to Preface—Annual Audit Manual (Revision June 2010) contained in the attached appendix to this manual for a description of how the manual was revised, the authority of these revisions, and expectations for compliance with new and revised information.

Refer to Practice Statement #1—OAG Transition to new CASs for guidance and the related annual audit policy for the Office's transitions to performing audits in accordance with CAS.

Table of Contents

Forward

Introduction

1 Approach to Annual Audits

Key Elements of Our Annual Audit Methodology
OAG Approach to Conducting an Annual Audit
Risk Analysis

2 General Audit Management Issues

Quality Management System
Our Responsibilities as Legislative Auditors
Compliance With Authority
"Other Matters"
Audit Team Roles and Responsibilities
Delegation at the Team Level
Quality Assurance Services Roles and Responsibilities
Coordinating Work With the Regional Offices
Sufficient and Appropriate Audit Evidence
Teamwork—Briefing, Coaching, and File Review
Audit of the Public Accounts of Canada
Communications With Audit Entities
Consultation
Procedures to Resolve Differences of Professional Opinion
Access to Entity Information
Security of Information
Access to Audit Files
Complaints and Allegations
Guidance and Tools

3 Engagement Management

Terms of Engagement
Monitoring and Assessing Risks Associated With the Acceptance and Continuance of an Engagement With an Entity
Approval Process and Documentation for Engagement Acceptance and Continuance
Documenting Engagement Acceptance and Continuance
Independence Issues
Staff Performance and Development Objectives
Consistent Application of Accounting Principles

4 Knowledge of the Entity and Risk Analysis

Knowledge of the Entity and Its Environment
Knowledge of the Entity's Internal Controls
Fraud and Other Risk Considerations
Updating the Audit Risk Assessment

5 Annual Audit Planning

Annual Audit Planning—General
Annual Audit Risk Assessment
Materiality and Audit Risk
Documentation of Risk Assessment Procedures in TeamMate
Preliminary Audit Approach by Cycle
Strategy Development—General
Gaining Assurance Through Reliance on Controls
Reliance on Management and Monitoring Controls
Reliance on Application Controls
Compliance With Authorities
Quality Reviewer's Role in Planning
Other Strategies
Team Planning Meetings
Report to the Audit Committee—Annual Audit Plan
Designing Detailed Audit Programs

6 Annual Audit Execution

General Considerations
Supervision, Coaching, and File Review
Techniques for Gathering and Documenting Audit Evidence
Compliance With Authorities
Reliance on Management and Monitoring Controls
Reliance on Control Activities
Reliance on General Computer Controls
Analytical Procedures
Substantive Tests of Detail
Documentation of Audit Procedures
Quality Reviewer's Role in Execution

7 Annual Audit Reporting and Completion

Evaluating Audit Results
Reporting on Fraud and Errors
Final Analytical Procedures
Quality Reviewer's Role in Reporting
Annual Audit Practice Team Review
Sensitive Issues
Report Clearance Summary
Signing the Auditor's Report
Management Letter of Representation
Reporting to Those Having Oversight Responsibility for the Financial Reporting Process
Review of the Annual Report
Management Letters
Documentation Completion Requirements
Other Audit Completion Activities
Review Policy
Other Inputs to Continuous Improvement

8 Consultation

General
Documenting Consultation
Consulting the Auditor General on Sensitive Issues
Independent Accounting and Financial Auditing Advisory Committee Independent Advisory Committee
Quality Reviewers
Involvement of Specialists
Annual Audit Practice Team
IT Audit Specialist Team
Financial Instruments Specialist Team
Legal Services
Consultation and the Annual Audit of the Public Accounts of Canada

Appendix—Annual Audit Manual (Revision June 2010)

Forward

Annual Audit of the Public Accounts of Canada, the Territories, Crown Corporations and Other Entities

The Office’s annual audit practice dates back more than 130 years to the appointment of Canada’s first Auditor General, John Lorn McDougall, in 1878. The fact that Parliament and the territorial legislatures continue to look to the Auditor General for independent advice and assurance is a testimony to their confidence in the quality of our annual audit work.

The quality of our audits depends on having strong methodology and guidance. The policies, procedures and guidance outlined in this manual are part of the Office’s Quality Management System (QMS). The QMS is designed to provide the Office of the Auditor General (OAG) with reasonable assurance that it conducts high-quality audits in accordance with applicable legislative requirements, professional standards, and Office policies.

This manual and the policies it contains are based on current standards of the audit profession and best practices of other legislative audit offices. They have been adapted to the OAG in order for us to fulfill our mandate. This updated version also draws on the knowledge of practitioners, the Methodology and Professional Development Committee (MPDC) the Methodology Committee, Office specialists, and external consultants.

This manual covers all annual audits conducted by the Office, including those carried out on the Public Accounts of Canada (specifically the audit of the Summary Financial Statements of Canada), the Territories, Crown corporations, international assignments, and other audit entities. It should be read in conjunction with the functional guidance, procedures, and tools available internally through our Annual Audit INTRAnet site and in TeamMate.

The Annual Audit Manual is an important tool to be used in all annual audit work. It provides a clear picture of the standard of quality expected from staff, and it emphasizes areas where auditors must exercise professional judgment and where they must adhere to standards. Auditors are expected to use this manual during the course of their audit work.

Additions or changes to practices will be communicated as Practice Advisories. These changes will be added periodically to the manual and to TeamMate.

For comments and suggestions, please contact the Professional Practices Group (PPG).

Sheila Fraser, FCA

Introduction

1. The Office currently has a number of product lines: annual audits of the financial statements of the Government of Canada (Public Accounts of Canada), the Territories, Crown corporations, and other entities; special examinations of Crown corporations; performance audits (PA) of departments and agencies including special studies; and assessments of performance information and environment and sustainable development audits and studies. The Methodology and Professional Development Committee of the Office works with staff to develop and approve policies and expected practices for each product line, with the objective of ensuring that these audits are conducted at the highest professional level.

2. The Annual Audit Manual has been prepared, in part, to explain the Office's Quality Management System for conducting annual audits. The manual does not address all aspects of the Quality Management System for annual audits but rather focuses on those aspects that apply to individual engagements. The Office's policies, methodology, and supporting guidance and tools apply to all annual audits, including the Public Accounts of Canada, the Territories, Crown corporations, and other financial audit work, including international annual audit engagements.

3. The manual has been written primarily to provide guidance to annual audit personnel on how the Office expects them to comply with professional standards. It describes the conceptual underpinnings of the Office's annual audit methodology, explaining in broad terms how these audits should be planned, conducted, and reported. The manual refers readers to some of the various audit tools and other guidance that exist, providing only minimal "how to" information. It does, however, identify additional sources of guidance that exist to help meet the needs of annual audit staff.

4. This manual does not include an exhaustive description of auditing theory. Rather, it is intended as an efficient resource to explain the principles underlying the Office's approach to conducting annual audits, including the audit of compliance with legislative authorities.

How to Use This Manual

5. The Office has developed a quality management system to guide staff in managing annual audits. This system is designed to provide reasonable assurance that our annual audits are conducted in accordance with applicable legislative requirements, professional standards, and Office policies.

Refer to Practice Statement #2—Deviations from Office Policy and GAAS

6. There is an expectation that the framework for conducting annual audits described in this manual will be followed by all Office staff. However, while it is recognized that no system is applicable in every circumstance, exceptions to Office policies, methodology, and supporting guidance and tools should be rare. In these rare situations, the audit Principal should obtain the concurrence of his/her Assistant Auditor General and, in exceptional circumstances, that of the Auditor General.

ANNUAL AUDIT POLICY

Staff (Office employees and contractors) should comply with Office policies and Generally Accepted Auditing Standards (GAAS) and should apply Office methodology. In those rare instances where it is considered inappropriate or impractical to comply with Office policies or GAAS, the audit Principal should obtain prior approval from the responsible Assistant Auditor General, consult with the Annual Audit Practice Team, and document the deviation.

7. For the annual audit of the Public Accounts of Canada, in those rare instances where it is considered inappropriate or impractical to comply with Office policies and Generally Accepted Auditing Standards, and/or to apply Office methodology, the entity team Principal should also obtain the prior approval of the Central Team Principal.

8. Under Section 6 of the Auditor General Act, we audit the Summary Financial Statements of the Government of Canada, which are included in the Public Accounts of Canada. In this manual, the audit of the Summary Financial Statements of the Government of Canada is referred to as the Public Accounts audit.

Refer to Practice Statement #3—Senior Roles and Responsibilities for Audit Quality

Methodology Support

9. The Product Leader for Annual Audit is responsible for the ongoing support of the annual audit policies, methodology, and supporting guidance and tools described in this manual. Questions regarding interpretation or the application of particular aspects of the Office's approach should be directed to the Product Leader for resolution. As well, innovative practices and suggestions for improvement are appreciated and will be used to enhance the methodology and to improve practices throughout the Office.

Context of Our Annual Audit Practice

10. The Quality Management System for annual audit has been developed with careful consideration of the unique environment in which the Office operates. This environment comprises a number of key characteristics that have shaped our annual audit practice. These characteristics are summarized in the table below. The policies and practices related to these characteristics are outlined in more detail throughout this manual.

KEY CHARACTERISTICS
IMPACT ON OUR PRACTICE
Legal Mandate  

The legal mandate of the Auditor General is described in general terms in the Auditor General and Financial Administration acts.

  • However, other acts of Parliament include references to annual audits and other specific duties to be undertaken by the Auditor General.
  • The wording used in these acts to describe our responsibilities is not always consistent.
  • As a legislative audit office, we must have a proper legal basis for all of our annual audit work. Consultation with legal services, where appropriate, helps to ensure that we maintain a proper legal basis for our work.
  • Terms of engagement are dictated by legislation, but we strive to be as consistent as possible across our portfolio.
  • Communicating with senior management of audit entities is important to ensure that we share a common understanding of the terms of our annual audit engagements.
Appointment of the Auditor General  
  • The Auditor General is appointed for a 10-year term by the Governor in Council.
  • The Office's independence is established in the Auditor General Act.
  • We have a high degree of independence and are subject to few of the conditions that exist for public accounting firms that might jeopardize our independence. However, we do need to avoid situations involving potential conflict of interest, as outlined in the Office's Code of Professional Conduct.
  • Except in limited circumstances, the Office does not charge and/or recover fees. Nevertheless, we still have an obligation to be economical, efficient, and effective in our annual audit work.
Expectations of a Legislative Audit Office  
  • The Office has an obligation to Parliamentarians to bring to their attention instances where our audit entities have not been in compliance with legislative authorities in all significant respects.
  • The Office is expected to bring to the attention of Parliamentarians any "other matters" that the Office believes they should be aware of.
  • As a legislative audit office, our work can, at times, involve politically sensitive issues that may impact our risk assessment.
  • Our annual audit work should be consistent with the expectations of Parliament. Addressing compliance with authorities and addressing "other matters" are integral parts of the Planning, Execution, and Reporting phases of every annual audit.
  • We report "other matters," either directly or on an exception basis. Regarding the Public Accounts of Canada, this information might be included in Observations of the Auditor General on the Financial Statements of the Government of Canada, which we refer to in our Auditor's Report.
  • Consultation with internal specialists and Office senior management helps to ensure that sound judgment is exercised in planning, executing, and reporting the results of our annual audit work. Through consultation and senior management involvement, we can more fully meet the needs and expectations of legislators and ensure that we communicate our findings clearly and succinctly.
Audit Entities  
  • There is little change from year to year in the portfolio of audit entities for which the Office performs annual audits.
  • The Office therefore has considerable experience with most of the entities we audit.
  • In some entities, the Office performs performance audits, special examinations, and/or other types of audit work that further enhance our understanding of these entities.
  • There are typically few, if any, comparable entities in the private sector.
  • Even though we generally have a long history with most of our audit entities, our environment is a dynamic one. Maintaining a sound knowledge of the entity's business and risks is an ongoing activity that should be visible throughout all phases of our annual audit work.
  • Many of our entities operate in specialized areas. Because of their public policy objectives, they often have unique characteristics not found in similar private sector entities. These differences need to be taken into account when consulting with internal and/or external specialists and in the acquisition of knowledge and understanding of specialized industries and/or unique industry accounting practices.
Office Size, Organization, and Staff  
  • The Office has a relatively small number of professional staff that work closely together.
  • Annual audits are conducted in most of the groups within the Office.
  • The audit of the Public Accounts of Canada is the largest annual audit in the country.
  • We have developed a corporate culture built on consultation and consensus-building. The Office values this culture and has established policies and procedures that encourage and support these types of behaviours.
  • Completing the audit of the Public Accounts of Canada requires teamwork and cooperation of staff throughout the Office.
Office Methodology and Practices  
  • The Office has an established methodology for conducting annual audits.
  • Our methodology evolves with changes in professional standards, with changes in the practices of the private sector and other legislative audit offices, and as a result of innovation within the Office.
  • We strive to "build in" quality throughout all phases of the annual audit.
  • The methodology described in this manual applies to all of our annual audits.
  • As part of our "continuous learning" initiatives, the Office monitors developments in professional standards and regularly surveys developments in the private sector and other legislative audit offices.
  • We work with private sector auditors on some engagements. In these cases, we need to satisfy ourselves that the work of the joint auditor has been performed according to professional standards.
  • We emphasize "real-time" supervision and coaching that builds in quality as the audit unfolds. We expect file reviews to be completed on a timely basis, the main objectives being to confirm that quality work is being done and to resolve issues as they arise. We recognize that building in quality is more efficient than inspecting it after the fact.

Organization of This Manual

The Annual Audit Manual consists of eight distinct sections.

CHAPTER
TITLE
MATTERS DISCUSSED
 
Introduction The defining characteristics of our environment and how they have helped shape our practice
1
Approach to Annual Audits Conceptual overview of the key elements of the annual audit methodology and overall approach for conducting annual audits
2
General Audit Management Issues Broad audit management issues that have relevance to all phases of our annual audit work
3
Engagement Management "Getting started" activities, in which we establish the terms of the engagement and perform client acceptance and continuance procedures, as well as other preliminary planning activities
4
Knowledge of the Entity and Risk Analysis The Office's policies and expectations related to understanding audit entities and identifying risks of material misstatement
5
Annual Audit Planning The Office's expectations leading to the development of the strategic audit approach and designing our audit response to assessed risks of material misstatement
6
Annual Audit Execution The three different sources of audit assurance (analytical procedures, reliance on controls, and substantive tests of detail), and other evidentiary matters
7
Annual Audit Reporting and Completion The process of evaluating audit results, finalizing the Auditor's Report, and communicating the results of our work to the audit entity and its audit committee (or equivalent)
8
Consultation The Office's expectations regarding when consultations should take place

1 Approach to Annual Audits

Key Elements of Our Annual Audit Methodology

1.1 The key elements of the Office's annual audit methodology are as follows:

  • Risk-based Audit Approach;
  • Cumulative Audit Knowledge and Experience (CAKE);
  • Professional Judgment;
  • Experienced Auditor Principle;
  • Reliance on Controls;
  • Teamwork;
  • Consultation; and
  • One Pass Planning (OPP).

Risk-based Audit Approach

1.2 To reduce our audit risk to an acceptably low level, we apply a risk-based audit approach. Our objective is to obtain reasonable assurance that no material misstatements exist in the financial statements, whether due to fraud or error. This involves three key steps:

  • assessing the risks of material misstatement in the financial statements;
  • designing and performing further audit procedures that both respond to assessed risks and reduce the risk of not detecting a material misstatement in the financial statements to an acceptably low level; and
  • issuing a suitably worded audit report based on the audit findings.

1.3 In assessing the risk of material misstatements, the auditor considers factors such as

  • industry, regulatory, and other external factors, including the applicable financial reporting framework;
  • the nature of the entity, including the entity's selection and application of accounting policies;
  • the measurement and review of the entity's financial performance through analytical review; and
  • internal control.

Our audit approach requires us to understand the entity sufficiently to identify and respond to all aspects of risk of material misstatement as it relates to obtaining reasonable audit assurance.

Cumulative Audit Knowledge and Experience

1.4 Our Cumulative Audit Knowledge and Experience (CAKE) with the entity should always be considered as a source of information when designing our audit approach. We have a considerable amount of CAKE in almost all of our entities because of our long-standing role as their auditors. As well, we have conducted performance audits or special examinations on many of our clients, broadening our knowledge of the entity and its business. Our CAKE is also derived from our knowledge of the entity's objectives and risks, assessments of its control environment, and understanding of its information systems and computer environment; a wealth of other past experiences; a history of known errors in specific areas; an appreciation for any complex and/or high volume of transactions it enters into; and experiences shared across the Office with other colleagues, teams, and functional groups. In addition, our CAKE is enhanced by integrating our Information Technology Audit Specialists' knowledge and experience into all of our large audit teams.

Professional Judgment

1.5 We believe in delegating responsibility as appropriate, and emphasize the importance of applying the knowledge, skills, and experience of our audit Principals, Directors, and responsible Assistant Auditor Generals. The professional judgment of these individuals plays a crucial role in determining the nature and extent of the audit procedures required in a given circumstance, the quality of the resulting audit assurance obtained, and the degree of any cross-component audit satisfaction obtained through other audit procedures.

Experienced Auditor Principle

1.6 We are committed to complying with professional standards in terms of documenting the nature, extent, and timing of our audit procedures and their results. We do not document unnecessarily. Except in rare circumstances, we do not retain copies of client documents in our files. In keeping with these standards, we adhere to our documentation principle of recording enough information in the file to allow an experienced auditor with no previous connection to the engagement to understand the audit procedures that were performed, the evidence that was obtained, and the conclusions that were drawn.

Reliance on Controls

1.7 We are committed to adopting a reliance on controls approach to our audits where possible, recognizing that it is generally the most cost-effective strategy. We identify the controls best suited for reliance by drilling down through the organization, and generally place reliance on the highest level controls that we believe will help us achieve our audit objectives for the financial statement component(s) in question.

1.8 The degree of control reliance should always be assessed on a continuum. Reliance can range from very low to very high levels, depending on the design of the controls, the level of audit assurance provided, and the ability to test the controls cost-effectively. The auditor determines where the entity lies on the "controls continuum" for each business cycle. In other words, the auditor determines the level of assurance—from control testing—that is likely possible in the circumstances.

1.9 Most of our clients are heavily dependent on information technology (IT) for financial management and control purposes and for supporting operations, particularly with the adoption of Enterprise Resource Planning (ERP) systems by large departments. Accordingly, the audit team for every entity includes an auditor with specialized IT training and knowledge (IT Audit Specialist). These IT Audit Specialists contribute their expertise in understanding and assessing information systems and internal control, assisting the team in identifying key controls, and developing and executing appropriate tests of controls and other procedures where appropriate.

Teamwork

1.10 We are committed to working as a team and emphasizing collaboration and two-way communication. Supervisors explain clearly what is required and expected, and auditors discuss the progress of their work and their audit findings with the supervisor as the audit evolves. Consequently, review occurs as the audit work progresses, not at the end of the audit. Our objective is to do the right work and do it right the first time.

Consultation

1.11 We use consultation to manage audit risk and to ensure the highest level of quality in all our audits. We recognize that audit teams may require additional support on difficult or contentious matters, when applying professional judgment, or when auditing areas for which specialized knowledge may be required. As such, we encourage the consultation process through policies and procedures designed to obtain sufficient and appropriate support when required. Chapter 8 of the Annual Audit Manual is devoted to the consultation process, including when and how teams should consult.

One Pass Planning

1.12 One Pass Planning (OPP) was developed, among other reasons, to address the planning challenges faced by the OAG in responding to multiple audit mandates within the same audit entity. For departments and agencies, these mandates could include one or more of the following:

  • performance audits;
  • compliance with legislative authorities;
  • annual audit—Public Accounts—the audit of the Government's Summary Financial Statements;
  • assessment of performance information; and
  • work relating to our environmental and sustainable development mandates.

For Crown corporations, the mandates are as follows:

  • annual audit—Crown corporations, other separate entities, territorial governments, and territorial Crown corporations and other entities; and
  • special examinations in Crown corporations.

1.13 OPP is a two-step process.

  • Entity Risk Analysis: The audit team identifies the significant business risks facing the organization and aligns them with the appropriate audit mandate area.
  • Planning: The audit team develops a long-range plan (three- to five-year view) of desirable audit projects (based on the most significant business risks facing the organization), taking into consideration the Office's various audit mandates, strategic priorities of the Auditor General, and other factors.

1.14 OPPs are carried out approximately once every five years for departments and agencies. Special examinations of Crown corporations are performed at least once every ten years, and use a methodology that is similar to the Entity Risk Analysis component of OPP.

1.15 In connection with our annual audit risk analysis, we consider business risks identified during the OPP that are relevant within the context of a financial reporting framework.

OAG Approach to Conducting an Annual Audit

1.16 The diagram on the next page presents an overview of the Office's approach to conducting annual audits. Discussion of each major component of the annual audit follows.

Annual Audit Overview graphic

Overview of Our Annual Audit Approach

1.17 Our objective is to obtain reasonable assurance that no material misstatements, whether caused by fraud or errors, exist in the financial statements. Our audits consist of three main phases: Planning, Execution, and Reporting. Due to the integrative nature of the audit process, we have further broken down the phases into the following five key audit activities.

  • Engagement Management activities are part of the Planning Phase and involve client acceptance and continuance, as well as strategic planning activities. Examples of these activities include scheduling staff and team meetings, establishing timetables and budgets, obtaining auditor independence confirmations, and preparing the engagement letter.
  • Knowledge of the Entity and Risk Analysis activities are part of the Planning Phase and are designed to provide the audit team with sufficient understanding of the entity and its environment (including internal controls) to identify and assess the events that could result in a risk of material misstatement in the financial statements. At this stage, risk analysis activities focus on identifying risks related to the entity and its business environment, fraud, and internal controls.
  • Annual Audit Planning activities, still part of the Planning Phase, relate to establishing an overall audit strategy and a detailed audit plan to respond to assessed risks. Initially, we establish our audit objectives, assign a materiality level, gain an understanding of internal controls at the application level, and assess identified risks of material misstatement. This information is used to develop a Preliminary Audit Approach by Cycle (a high-level summary of the scope, timing, and approach to the audit by cycle) and for Designing Detailed Audit Programs (regarding the nature, timing, and extent of procedures).
  • Annual Audit Execution activities—the Execution Phase—include executing our detailed audit programs, and documenting our audit procedures and conclusions.
  • Annual Audit Reporting activities form the Reporting Phase of our audits. They include evaluating our audit results, revisiting our risk assessments, determining if sufficient and appropriate audit evidence has been obtained, communicating our audit findings, issuing our report(s), and completing the file.

Risk Analysis

1.18 Our audit approach requires us to reduce audit risk to an acceptably low level. To do this, we determine our overall responses to assessed risks at the financial statement level, and design and perform further audit procedures to respond to assessed risks at the assertion level. As such, we assess the risks of material misstatement due to fraud or error that may be present at two levels within the entity:

  • Entity or financial statements level that may affect multiple audit areas and related assertions. This includes risks that may have a pervasive effect on the financial statements (for example, going concern risks, risks resulting from a weak control environment, such as lack of management integrity and competence.)
  • Assertion level for classes of transactions (for example, completeness of revenue transactions), account balances (for example, valuation of accounts receivable) and disclosures (for example, transparency of disclosure of contingencies and commitments.)

1.19 To address these risks, our audit approach requires the use of financial statement assertions in sufficient detail in order to

  • consider the different types of potential misstatements that may occur (identify risks/what can go wrong);
  • assess the risk of material misstatement (evaluate significance of the risks); and
  • design audit procedures that are responsive to the assessed risks (relevant financial statement assertion).

2 General Audit Management Issues

Quality Management System

2.1 The Office's Quality Management System (QMS) is designed to provide "reasonable" assurance that annual audits are conducted in accordance with applicable legislative requirements, professional standards, and Office policies. Reasonable assurance recognizes that the cost of managing risks should not exceed the benefits likely to be derived.

2.2 The overriding goal of our QMS is to ensure that the Auditor's Report is appropriate in the circumstances. The QMS takes a holistic approach to the audit, identifying behaviours, expectations, and policies that touch on the individual, the audit team, and the Office as a whole.

2.3 The elements of QMS address a broad spectrum of activities that are grouped into three major categories:

  • Audit Management;
  • People Management; and
  • Continuous Improvement.

2.4 The conscientious application of these elements would typically result in an efficient and effective audit that adds value to the entity while assuming an acceptable level of audit risk. The technologies, tools, and teamwork concepts in our annual audit practice assist staff in achieving the objectives of our QMS.

2.5 When conducting an annual audit, staff should be conscious of, and act in accordance with, our established Office values:

  • serving the public interest;
  • independence and objectivity;
  • commitment to excellence;
  • respectful workplace;
  • trust and integrity; and
  • leading by example.

These values are fully supported by the elements of our QMS.

2.6 The QMS provides the framework for completing a "quality audit." Accordingly, staff are expected to be familiar with its structure and expectations, and the specific annual audit policies it encompasses. Although most audit policies set expectations only for senior members of the audit team, audit team members—individually and collectively—are responsible for building quality into their work.

Our Responsibilities as Legislative Auditors

A Government Accountable to Parliament

2.7 The people's right to control how their taxes are spent is one of the cornerstones of democratic government. In Canada, like other parliamentary democracies, this control is carried out on behalf of citizens by their elected representatives, the members of Parliament.

2.8 The government of the day must obtain the permission of Parliament before it can collect, borrow, or spend money. After it spends tax dollars, the government must also be able to show that it spent the correct amount, for the purposes approved by Parliament. This obligation of government to answer for its actions is called "accountability."

2.9 Over the years, a process has developed to hold the government to account. The government must report fully on its performance by submitting the following to the House of Commons:

  • the annual spending plans of each department;
  • reports on the past year's activities; and
  • annual financial statements showing all federal spending, borrowing, and taxing, known as the Public Accounts of Canada.

2.10 These documents are intended to provide members of Parliament with the information needed to hold the government to account. The final link in the accountability process—independent audit of that information—ensures that members of Parliament can effectively question or challenge the government on its performance.

2.11 The Office of the Auditor General of Canada (OAG) audits government operations and provides objective information and advice to Parliament that can aid in holding the government to account.

The Work of the Office

2.12 The statutory duties of the Auditor General provide a broad mandate to conduct audits and examinations in order to report on the government's management of its affairs. The Auditor General does not comment on policy choices but does examine how those policies are implemented. Accordingly, legislative audits address varied subjects:

  • the appropriateness of expenditures (in other words, whether they have been made in accordance with legislative authorities);
  • the appropriateness of the government's accounting policies;
  • the fair presentation of the financial statements of various government entities;
  • constraints to economical, efficient, and effective management of government resources;
  • the quality of financial management and control within government;
  • the appropriateness of procedures to manage the assessment, collection, and proper classification of government revenues;
  • the proper management of human resources in government;
  • departmental sustainable development strategies and action plans; and
  • instances where expenditures that have been made without due regard to economy or efficiency.

2.13 The products of the OAG are reports to the House of Commons and to various others, including ministers, legislative assemblies, boards of directors, and managers. These products include the auditors' reports emanating from the annual audits we conduct.

Refer to Practice Statement #4—Conducting our Audits in Accordance with CASs

Compliance With Authority

Compliance With Authority—General

2.14 Under the Canadian constitution, Canada is a federal state, with legislative jurisdiction—the power to make laws in relation to different subject areas—divided between Parliament and provincial legislatures. The federal government's actions are bound by the laws passed by Parliament, and by regulations passed pursuant to those laws and other authorities. Ministers are responsible and accountable to Parliament for the use of the powers given to them by law or otherwise. Ministers responsible for Crown corporations report to Parliament in discharging their accountability for these corporations.

2.15 One of the cornerstones of our system of government is the rule of law. This constitutional principle considers that everyone is subject to the law, that no one, no matter how important or powerful, is above the law. No person, entity or legislature has any powers except those given to it by law, meaning by the Constitution, by a law passed by Parliament or a provincial legislature, or by the common law of England, which we inherited and remains the basis of our constitutional law and the civil law—property and civil rights—except in Quebec (which has its own civil code).

2.16 Examples of instruments through which legislative and other authorities are exercised that are relevant to OAG auditors include the Financial Administration Act (FAA) and associated regulations (both federal and territorial), as well as the charters and bylaws of Crown corporations. The responsibility for observing the provisions of applicable authorities governing an entity rests with the entity's management, which is expected to develop management controls that provide reasonable assurance of compliance with authorities.

2.17 Compliance with authorities issues can arise in all of the product areas in which the Office conducts audit work, as well as in audits of territorial accounts and organizations, as set out in the Auditor General Act and the federal and territorial FAAs. Statutory provisions may set out a specific authority upon which we are required to give an opinion on compliance, or the requirement may arise in the course of conducting a more general audit mandate. None of our audit products deal solely with compliance with authorities. Compliance with authority is a pervasive matter in legislative auditing and it cannot be severed from the other work that we do.

2.18 It is the Office's view that, in order to serve Parliament well, we should be scoping "compliance with authorities" work into all annual audit work. We should focus our efforts on key authorities during the course of our annual audit examination and report instances of significant non-compliance in our Auditor's Report. Although the weight given to compliance with authorities will vary with the auditor's judgments regarding risk and significance—as will the specific approaches adopted—all work carried out by the Office should include appropriate consideration of compliance with authorities.

2.19 Consequently, each year, we perform detailed procedures designed to assess compliance with significant authorities, using various approaches. All instances where we find significant non-compliance are also considered by the Auditor General for reporting to the House of Commons.

Compliance With Authority—Public Accounts of Canada

2.20 According to the Constitution, revenue can be raised and monies can be spent or borrowed by the government only with the authority of Parliament. A money bill, for the raising or spending of revenue, must originate in the House of Commons, as the House is the custodian of the public purse.

2.21 Government programs and activities are first given legal effect through enabling or "program" legislation. Appropriation authority may be contained in such legislation when it specifies either the conditions under which payments may be made or the amounts to be paid, until the authority is withdrawn (statutory authorities). Annual spending is authorized by appropriation acts. The schedules to appropriation acts are made up of votes, which set the limits and stated purpose for which the government may spend money.

2.22 In general, no money can be borrowed by the federal government except as provided by the FAA or another act of Parliament that expressly authorizes the borrowing. Section 43.1 of the FAA allows the Governor in Council (Cabinet) to authorize the Minister of Finance to borrow money on behalf of the federal government.

2.23 As a constitutional requirement, money bills must originate in the House of Commons, but so too must bills to impose taxes. The Income Tax Act is an example of a federal statute that imposes taxes. Subject also to constitutional limitations, revenues may also be generated through legislation. An example of this is section 19 of the FAA, which states that the Governor in Council may either set fees or charges for services provided by the federal government or for the use of government facilities, or authorize ministers to do so by order.

2.24 Compliance with authority to spend, borrow, and raise revenues is a basic principle underlying the government's accounting system. The accounts of Canada generally reflect parliamentary authorizations due to the use of authority codes within the chart of accounts coding block for each transaction. The Public Accounts of Canada, which are prepared from the accounts of Canada, report on the government's use of authorities in the notes to the financial statements.

2.25 The Summary Financial Statements are included in the Public Accounts of Canada. As an overall summary, their fundamental purpose is "to provide information to Parliament, and thus to the public, to facilitate an understanding and evaluation of the full nature and extent of the financial affairs and resources for which the Government is responsible." The notes to the Summary Financial Statements also include summaries of compliance with spending and borrowing limits. In addition, general statements of compliance are contained in the Preface to the Financial Statements of the Government of Canada.

2.26 Unlike the auditor's requirements for Crown corporations (see below), there are no specific requirements under the FAA or the Auditor General Act to include any statement in the Auditor General's opinion on compliance with authorities for the Summary Financial Statements. Nevertheless, given the role of the Office as legislative auditor, the authorities component is an integral part of the audit of the Summary Financial Statements of the Government of Canada. Accordingly, this work reflects compliance with spending, borrowing, and revenue authority considerations.

Compliance With Authority—Crown Corporations

2.27 Federal Crown corporations and their wholly owned subsidiaries are important vehicles through which the government meets public policy objectives. Public ownership, together with their public policy orientation, affects their accountability, management, and control requirements. These entities are subject to the provisions of Part X of the FAA insofar as accounting, auditing, and reporting matters are concerned. These provisions require the corporation's auditor to express separate opinions on the fairness of the corporation's financial statements in accordance with generally accepted accounting principles; whether the accounting principles were applied on a basis consistent with that of the preceding year; and whether the transactions that have come to the auditor's attention in the course of the audit align with specified authority instruments. These instruments are the requirements of Part X of the Financial Administration Act, associated regulations, the charter and bylaws of the corporation or subsidiary, and any directives given to the corporation.

2.28 Compliance with authorities is not limited to the financial transactions in the narrow sense, but rather covers any activity for which the entity is responsible, such as the preparation of the corporate plan. In addition, the auditor's understanding of the entity's business and legal framework may cause him or her to become aware of situations or transactions that could infringe other Canadian legislation. It is important for the auditor to assess such transactions for possible impact on the financial statements and to consider whether they should be reported to the appropriate authority.

2.29 In the case of Crown corporations, instances of non-compliance that are considered significant must be reported to the appropriate minister in accordance with the relevant subsections of the FAA.

Compliance With Authority—Other Entities, Including Territorial Governments

2.30 The Auditor General expresses a separate opinion on the financial statements of other entities, including departmental corporations, territorial governments, and territorial corporations required by law to publish separate audited financial statements.

2.31 The mandate and objectives for the audit of the financial statements of other entities, including territorial governments, depend on the provisions of the legislation or Order in Council appointing the Auditor General. In all cases, it is important that the audit objectives established for the specific appointment reflect the role of the Auditor General as legislative auditor reporting to Parliament (or a territorial legislature) and the authorities' dimension of legislative auditing.

2.32 The Auditor General Act requires the Auditor General to report any matters considered to be of significance or of a nature that should be brought to the attention of the House of Commons. Additionally, pursuant to territorial legislation, the Auditor General is required to report any matters that he or she considers to be of significance or of a nature that should be brought to the attention of the Northern Legislative Assemblies. Regardless of whether the specific annual audit mandate requires compliance with authorities reporting, we would include a description of any significant non-compliance we found in our Auditor's Report, and consider whether it should also be reported to Parliament or the Northern Legislative Assemblies.

"Other Matters"

2.33 Annual auditors also have a responsibility to be on the alert for, and to report, "other matters" falling within the scope of the audit that, in their opinion, should be brought to the attention of Parliament. The Financial Administration Act, the Auditor General Act, and professional assurance standards collectively permit the Auditor General to report such "other matters."

2.34 "Other matters" are not reservations of opinion but are reported in accordance with the requirements set out in CAS 700 section 5701 of the CICA Handbook (Assurance)—Other Reporting ResponsibilitiesOther Reporting Matters. Accordingly, "other matters" identified during annual audits are reported in a separate paragraph of the Auditor's Report following our opinion. In addition to our Auditor's Report, other reporting vehicles—such as our Reports to Parliament and the Auditor General's Observations on the Financial Statements of the Government of Canada—are often used to ensure that Parliament is made aware of these "other matters."

2.35 Determining whether or not a potential "other matter" should be reported requires professional judgment and consultation. The overriding characteristic of all "other matters" is significance to Parliament. Significance can be determined through the following types of questions.

  • Does the subject have an important impact on results?
  • Is it an area of high risk?
  • Is it an isolated incident or indicative of a systemic problem?
  • Does it involve material amounts?
  • Does it have the potential to result in improved performance, accountability, or value for money? Will it make a difference?
  • Is it an issue with visibility or of current concern? Is it of interest to Parliamentarians and Canadians? Is the timing opportune for the audit and to meet the needs of the client?

ANNUAL AUDIT POLICY

The audit Principal should ensure that all annual audits for which he/she is responsible include specific and appropriate consideration of the existence of significant non-compliance with authorities and "other matters."


Executive and Board Compensation, Travel and Hospitality

2.36 As part of all annual financial audits, the Office performs audit work on senior executive and board compensation, travel, and hospitality. The scope of this review includes the total compensation packages (including cash remuneration, benefits, and perquisites) and travel and hospitality expenses for Order in Council appointees, including members of the board of directors, and for other senior executives in the organization (generally vice-presidents/members of the executive committee).

2.37 We review this area annually to identify potential risks. We also carry out detailed tests of controls or on selected transactions at least once every three years, as well as in response to specific risks that we have identified.

2.38 The objective of this review is to determine if senior executives' and board members' compensation arrangements and travel and hospitality expenses comply with relevant authorities and approved policies of the organization. In addition, during our review, we assess the impact of matters that come to our attention and that could be an indicator of lapses in values or ethics, weak governance, or inadequate oversight and control.

Audit Team Roles and Responsibilities

2.39 Auditing involves a team effort in pursuit of the goal of an efficient, effective annual audit that satisfies our terms of engagement, meets Parliament's and other stakeholders' needs, and complies with professional standards and Office policies.

2.40 "Teamwork" is a broad concept that generally refers to coordinated efforts by a group of people working together for a common cause. In this manual, teamwork refers to efforts undertaken by the audit team.

The Audit Team

2.41 The audit team consists of the following members:

  • entity Principal/the Practitioner;
  • Director;
  • audit Project Leader;
  • audit professionals;
  • member(s) of the IT Audit group (IT Audit Specialists);
  • audit trainees working toward a professional accounting designation;
  • other audit staff, including summer students and co-op students;
  • external specialist(s), in some instances; and
  • depending on the circumstances, the responsible Assistant Auditor General may operate as a member of the audit team and oversee the work of the team.

Smaller teams will not include all of the staff levels listed above.

Characteristics of a Successful Audit Team

2.42 A successful audit team has the following characteristics:

  • The individuals will collectively possess the knowledge, skills, and expertise necessary to successfully complete the audit. These competencies include
    • an understanding of, and practical experience with, assurance engagements of a similar nature and complexity through appropriate training and participation;
    • a knowledge of relevant information technology;
    • a knowledge of the subject matter of the practitioner's report;
    • an understanding of professional standards and regulatory and legal requirements applicable to the specific engagement;
    • a general understanding of laws and regulations applicable to the subject matter;
    • an understanding of the nature of the entity's operations and a knowledge of the specific industry, as appropriate;
    • the ability and experience to exercise professional judgment; and
    • an understanding of relevant quality control policies and procedures.
  • Individuals will demonstrate
    • independence, objectivity, and professional skepticism;
    • a commitment to each other to support an environment where coaching, information sharing, and ongoing communication are the responsibility of everyone; and
    • a commitment to executing the audit plan in an efficient and effective manner.

In simple terms, what the Office strives to achieve in building audit teams is the following:

Doing the right work;

Doing it with the right people; and

Doing it right the first time.


Roles and Responsibilities

Refer to Practice Statement #3—Senior Roles and Responsibilities for Audit Quality

2.43 Audit team members have responsibilities for corporate management, people management, audit management and delivery, entity relations, and internal and external communication. The following discussion outlines the key responsibilities of the various members of an audit team for audit management and delivery.

2.44 The Assistant Auditor General (AAG) is accountable to the Auditor General for final products and

  • provides strategic vision and advice, and performs a management challenge role regarding the purpose of the audit, methodology, findings, and cost;
  • approves the audit strategies, objectives, and plans developed by Principals as well as the recommendations from external advisors. The degree of AAG involvement is risk-based and depends on the experience of the team and the sensitivity of entity issues. Of particular importance is the AAG's timely involvement during the Planning Phase and oversight during reporting;
  • ensures appropriate staffing of audits. After considering advice from product line committees, the AAG is accountable to the Auditor General for the use of resources on products;
  • ensures that the Office's position on topics is consistent and encourages "no surprises" audits for the entity; and
  • ensures that there is a risk-based long-term strategy for audits of the entity and that all work meets audit standards. The AAG participates in audit committee meetings, as appropriate, and helps identify "value-added" opportunities in the committees' work.

For all types of audits, the AAG

  • manages senior client relations;
  • flags important or sensitive matters for the Auditor General; and
  • provides assurance of audit quality, by ensuring compliance with the quality management framework.

2.45 The Principal is accountable to the AAG for the use of resources on products, and shares responsibility with the AAG for assigning work. The Principal is also responsible for ensuring that products are delivered on time and within budget.

  • The Principal is the Engagement Practitioner as defined by the CICA Handbook and, as such, is responsible for ensuring that each engagement complies with professional standards and OAG policies. This includes ensuring that, throughout the engagement,
    • the engagement team has the necessary competencies, resources, and time to carry out the engagement;
    • team members comply with OAG conflict of interest, confidentiality, and independence requirements and have the appropriate security clearances;
    • there is appropriate planning, supervision, and review of team members;
    • discussions with other team members, internal specialists, quality reviewers, AAGs, audit leaders, methodology principals, the Deputy Auditor General (DAG), and the Auditor General are timely, appropriate, and properly documented;
    • the audit is conducted in compliance with Office policies, the audit quality control system, and professional standards; and
    • there is sufficient and appropriate evidence to support the audit's conclusions.
  • The Principal develops the audit strategies, objectives, and plans, using the audit manual for guidance. If necessary, the Principal hires contractors to conduct or help conduct the audits, and recommends external advisors for approval of the AAG.
  • The Principal also reviews all audit report drafts prior to review by the AAG, and conducts quality reviews.

Refer to Practice Statement #5—Team Members' Understanding of CASs

ANNUAL AUDIT POLICY

The audit Principal should ensure that the audit team collectively has the necessary competencies, resources, and time to perform the assurance engagement in accordance with professional standards and regulatory and legal requirements, and to enable the issuance of an Auditor's Report that is appropriate in the circumstances.

When the audit Principal does not have a professional accounting designation, the Assistant Auditor General will ensure the team has the necessary competencies.

2.46 The Director supports the principals and helps them fulfill their roles and responsibilities. They also contribute to the Office by managing projects and resources on a daily basis.

  • Directors are responsible for conducting audits according to professional standards and Office policies, drafting chapters and reports, and managing audit teams, budgets, and schedules.
  • Directors are accountable to principals for the use of resources on products, and they share responsibility with principals for assigning work. Directors are also responsible for ensuring that audits are delivered on time and within budget.
  • For each audit, directors develop detailed plans and establish assignment and performance objectives for auditors. They are expected to ensure that audit findings are validated and that any disagreements are documented.
  • Directors are expected to provide supervision, coaching, on-the-job training, and continuous feedback to auditors and to less experienced colleagues. They are also required to ensure that assignment reviews are completed once the audits are finished.

2.47 Team leaders (generally the audit project leaders, experienced audit professionals, and occasionally directors) have primary responsibility for ensuring that the strategic plan and detailed audit programs, as outlined in the Preliminary Audit Approach and the Summary of Comfort (see paragraph 5.96 for a definition of Summary of Comfort) are executed as intended; supervising and coaching staff; and resolving day-to-day audit management issues. The general responsibilities of team leaders include the following:

  • leading the development of the detailed audit programs (Summary of Comfort) for individual sections of the audit;
  • resolving audit issues as they arise, working with staff, the client, and the engagement manager(s) as necessary;
  • drafting internal and external communications, including reports to the audit committee, management letters, and the Report Clearance Summary;
  • ensuring that the detailed audit programs (Summaries of Comfort) are executed in accordance with the direction set out in the strategic plan;
  • assigning staff to audit tasks, taking into account their capabilities and personal interests, as well as developmental opportunities;
  • overseeing the development of tailored audit programs to make them more efficient and relevant to the specific entity, including the use of tailored analytical procedures;
  • managing the day-to-day aspects of the audit, including "on-site" supervision of audit professionals and others;
  • ensuring that junior staff understand the audit objectives of their specific tasks, the audit procedures they will execute, and the deadlines for this work;
  • coaching team members on an ongoing basis and resolving minor audit issues as they arise;
  • keeping the engagement manager(s) apprised of any significant audit issues;
  • assisting the engagement manager(s) in analyzing significant audit issues and proposing strategies to address them;
  • completing the file review on a real-time basis;
  • ensuring that the detailed audit programs are executed properly;
  • executing the audit program for high-risk areas requiring a significant degree of management judgment or estimates, or that involve complex transactions;
  • ensuring that key audit documents (such as legal letters, the management representation letter, the list of required client-prepared schedules, and confirmations) are prepared on time and in an accurate manner;
  • leading by example in terms of coaching, listening, supporting, assisting, and establishing collegial and inclusive working relationships;
  • participating in team meetings and sharing information that is significant to the work of other team members;
  • regularly monitoring the status of the audit and holding progress meetings with the client;
  • providing input to the engagement manager(s) in evaluating the performance of staff;
  • ensuring that staff replicate their work regularly in order to keep the TeamMate entity master file up-to-date and to prevent the loss of the work performed to date; and
  • maintaining control over the TeamMate entity master file.

2.48 Team members (audit project leaders, audit professionals, students) have primary responsibility for completing individual sections of the audit assigned to them and working closely with team leaders to ensure they achieve the intended objectives of their work. The general responsibilities of team members include

  • understanding the audit objectives of all work to be performed before their execution;
  • executing one or more audit sections in accordance with the detailed audit program;
  • seeking guidance and direction from the team leader(s) or engagement manager(s) when audit issues are identified;
  • keeping the team leader(s) and/or engagement manager(s) informed on a regular basis of the work being done, audit findings, overall progress, any constraints or difficulties being encountered, and other relevant information;
  • identifying opportunities to improve the audit approach or specific audit procedures;
  • documenting the work performed, efficiently and effectively, in accordance with Office policies, including documentation of exceptions;
  • in some cases, supervising one or more team members, including audit trainees and/or other staff;
  • ensuring that staff under their supervision understand their areas of responsibility, the audit procedures they will be executing, and the planned completion date;
  • providing coaching and performing file review;
  • being receptive to coaching and file review by others;
  • participating in team meetings and sharing information that is significant to the work of other team members;
  • maintaining sound professional relationships with the client; and
  • making the engagement manager(s) aware of any real or potential conflicts of interest that could threaten the actual or perceived independence of the auditor.

2.49 It is important to note that staff may fill different roles for different aspects of the audit. For example, an auditor may have responsibility for more than one section of the audit file and may have supervisory responsibilities for one of those sections. In this example, the auditor will perform some elements of the role of team leader for the section where he/she is supervising the work of another staff member and will assume the role of team member for those sections where she/he has sole responsibility.

IT Audit Specialists

2.50 Under the Office's annual audit methodology, IT Audit Specialists are integral members of the audit team, whose primary responsibilities are to

  • assist the audit Principal in understanding the design and implementation of general computer controls (GCCs);
  • assist the audit Principal in identifying strategic IT risks in the audit entity, as part of the Annual Audit Planning;
  • assist the audit Principal in understanding the entity's information and accounting systems, and in determining the nature and extent of reliance on IT-dependent controls (meaning automated application controls or manual controls relying upon system-generated data) that is feasible in the entity;
  • work with the audit team members to determine if testing the operating effectiveness of general computers controls is necessary when manual controls rely upon system-generated data;
  • test the operating effectiveness of GCCs in situations where reliance on automated application controls is desired;
  • if necessary, test the operating effectiveness of general computer controls; and
  • work with other team members in the design, execution, and evaluation of tests of controls, including application controls and management and monitoring controls.

2.51 The extent of an IT Audit Specialist's involvement will depend upon the nature and extent of planned reliance on IT-dependent controls and the complexity of the audit entity's business cycles and related IT systems.

ANNUAL AUDIT POLICY

The audit Principal should ensure that the audit team has consulted with an IT Audit Specialist in determining the audit strategy. The advice received and conclusions reached as a result of this consultation should be adequately documented, agreed to by the IT Audit Specialist, and reflected in the audit strategy.

The audit Principal should ensure that, if the audit strategy places reliance on IT-dependent controls, the audit team has at least one member with sufficient specialized IT knowledge and audit skills, such as an IT Audit Specialist.

2.52 When an approach involving reliance on IT-dependent controls is envisaged for a key business cycle, or when there have been significant changes during the year in the audit entity's systems or business cycles, the role of the team member with specialized IT knowledge and experience (the IT Audit Specialist) will be more significant. The IT Audit Specialist's involvement will increase in planning the audit and in documenting, assessing, and testing GCCs and application controls.

2.53 Factors that could lead to a reliance on IT-dependent controls and increase the involvement of an IT Audit Specialist include the following:

  • a high volume of transactions;
  • the number of applications producing accounting data;
  • a high number of users;
  • processing outsourced to an Application Service Provider;
  • data/connectivity outsourced to an Infrastructure Service Provider;
  • complex calculations being carried out by financial applications;
  • a significant number of computer-generated transactions;
  • electronic commerce or Internet-enabled applications;
  • complex interfaces between key business cycles and related applications; and
  • the ability of the audit entity to document a clear and reliable audit trail or an audit trail that is complex, unclear, or lacking.

2.54 The decision to rely (or not) on IT-dependent controls must be approved by the audit Principal, in consultation with the IT Audit Specialist.

2.55 The table below can aid in determining appropriate IT Audit Specialist involvement.

Recommended IT Audit Specialist Participation
TeamMate Reference
Reliance on Automated
Application Controls
No Reliance on
Automated Application
Controls
Auditors
IT Audit
Specialist
Auditors
IT Audit
Specialist

Map activities and systems to audit areas and identify business cycle

(Identify and document significant processes and systems)

B. 8.PS
X
 
X
 
Complete assessment of design and implementation of GCCs
B. 8.PS
X
 
X
Consulting*
Analyze the impact on the audit strategy
B. 8.PS
 
X
X
Consulting*
Determine if GCCs testing is required when manual controls rely upon system-generated data
B. 8.PS
Combined team
X
Consulting*
Determine level of GCCs testing
F.PS
 
X
 
 
Document and validate GCCs
F.PS
 
X
 
 
Conclude reliance on GCCs
F.PS
 
X
 
 
Document application controls  
Combined team
X
Consulting*
Validate application controls  
Combined team
X
Consulting*

*An IT Audit Specialist should be involved if there is uncertainty about the audit approach, or if assistance is required for the documentation, evaluation, and/or testing of controls.

External Specialists

2.56 In some audits, it may be necessary to contract externally for specialized knowledge, skills, and experience (a professional actuary, for example). The responsibility to identify the need for external specialist knowledge and to obtain the services of the specialist rests with the entity Principal. The specific responsibilities of the external specialist will normally be defined by the contractual relationship with the Office. The entity Principal is responsible for the quality of the work of the external specialist, for the proper evaluation, application, and documentation of the specialist's findings, and for complying with CICA standards on the use of a specialist.

Internal Specialists

2.57 In any given annual audit, there may be wide variation in the nature and extent of consultation with OAG internal specialists. These individuals cntribute directly to the success of the audit team by providing knowledge and expertise in areas that may be specialized, complex, contentious, or unusual. These individuals are not members of the audit team but assist the team in ensuring that its audit objectives are achieved. For annual audits, the following internal specialists are frequently consulted.

  • Annual Audit Practice Team (AAPT) members provide advice on the Office's assurance methodology and on technical accounting matters for all annual audits.
  • Central Team members provide advice of a methodological or technical accounting nature relating to the audit of the Summary Financial Statements of the Government and/or audits of departmental financial statements.
  • Legal Services provides advice on legal issues arising in the course of audits, the engagement of outside legal counsel, and in-house legal issues in areas such as personnel relations, labour relations, and contracting.
  • The Financial Instruments Specialist will assist teams in incorporating a thorough risk analysis of financial instruments into their audit. The Specialist will also provide advice on a variety of matters relating to financial instruments, derivatives, risk management, and asset liability management techniques.
  • The Forensic Audit Section provides assistance and guidance to entity teams on matters of wrongdoing and fraud.
  • Other specialists contribute as necessary.

Delegation at the Team Level

2.58 Delegation of audit responsibilities at the audit team level is the responsibility of the Principal. In addition to the audit risk associated with an engagement, Principals should consider two other broad categories of factors in determining the appropriate degree of delegation and the assignment of responsibilities to team members: Parliamentary interest and Office internal factors.

2.59 Audit entities may attract the attention of Parliament for a variety of reasons. This interest could arise from

  • legislative changes affecting the entity;
  • matters raised during Question Period;
  • letters to the Office from members of Parliament;
  • media attention; and
  • partisan debate.

2.60 In general, the greater the Parliamentary interest in an entity, the greater the risk to the Office.

2.61 There may also be factors internal to the Office that could affect the degree of delegation in the engagement, including

  • planned changes of significance in the audit approach;
  • the experience of the team;
  • continuity of staff;
  • tightness of reporting deadlines; and
  • the availability of specialists, where required.

2.62 In cases where a number of these factors are present, it may be appropriate for the Principal to modify his or her approach to delegation. For example, the presence of factors indicating higher risk to the Office would require

  • increased involvement by the Principal and the responsible Assistant Auditor General in key aspects of the audit,
  • more extensive consultations with internal and/or external specialists, and/or
  • the assembly of a more senior and experienced audit team.

2.63 Conversely, the presence of conditions suggesting lower risk to the Office may allow for increased delegation to more junior staff and/or less involvement with consultants and/or specialists. For example, in lower risk engagements, the following actions might be appropriate.

  • The responsibilities normally assigned to the Principal could be delegated to an experienced Director.
  • The degree of involvement by the Principal in key aspects of the audit could be reduced.
  • The responsibilities normally assigned to a Director could be delegated to an experienced audit professional.

2.64 The Principal would normally ensure that significant changes in his/her assessment of the audit risks associated with the engagement are discussed with the responsible Assistant Auditor General. Significant increases or decreases in the perceived risk to the Office, as well as their impact, if any, on the Office's Delegation of Signing Authority, should be communicated to the Product Leader for Annual Audit.

Delegation of Signing Authority

2.65 The Office has a formal Delegation of Signing Authority document that identifies who will sign annual Auditor's Reports. The Delegation of Signing Authority document is updated periodically and is available on the Annual Audit INTRAnet site.

Quality Assurance Services Roles and Responsibilities

Refer to Practice Statement #3—Senior Roles and Responsibilities for Audit Quality

2.66 There are three quality assurance services that support the Office's quality management system. The first two are involved prior to the completion of the audit, while the latter generally takes place post-completion:

  • AAPT;
  • Quality Reviewer; and
  • Practice Review.

2.67 AAPT's financial statement review has two broad objectives: to ensure that there is a consistent approach to significant audit issues throughout the Office; and to ensure that the Auditor's Reports conform to professional reporting standards and are appropriate to the financial statements presented.

2.68 Quality Reviewers are appointed for audits generally associated with higher risk to the Office. The quality control review performed by the Quality Reviewer provides an objective evaluation of the significant judgments the audit team made and the conclusions reached in formulating our audit opinion. This takes place before the Auditor's Report is issued.

2.69 Practice Review fulfils an important role in monitoring compliance with Office methodology by helping ensure that it is well designed, consistent with professional requirements, and operating effectively. The Practice Review function also promotes continuous improvement in our audit practices through reports and presentations.

2.70 From a monitoring compliance perspective, the Practice Review function provides assurance to the Auditor General that our annual audits meet professional standards and that the Auditor's Reports issued by the Office are appropriate in the circumstances. This work involves conducting post-audit reviews annually on a sample of completed audit files. Practice Review may also examine "horizontal" issues of interest to the Office's annual audit practice as a whole.

Coordinating Work With the Regional Offices

2.71 Many entities have highly decentralized operations in order to provide services to the various regions of the country. The OAG has therefore established regional offices to ensure first-hand knowledge of these decentralized operations, a relationship of respect and trust with regional entity management, and the most cost-effective use of resources.

2.72 Both the entity and regional Principals should ensure high levels of cooperation, coordination, and liaison between regional and entity teams. This pertains to situations involving the regional office in entity planning, designating regional staff as liaison with an audit entity, promoting two-way communication on emerging audit issues, giving early notice of planned field trips, and utilizing regional staff when dealing with matters located in the regions.

Sufficient and Appropriate Audit Evidence

General Considerations

2.73 In addition to the documentation standards required under generally accepted auditing standards, the Office has two additional requirements: solicitor-client privilege letters must be sent before an audit begins; and all documentation related to audits must comply with the Library and Archives of Canada Act.

2.74 Information can come in many formats, including electronic, paper, visual, and auditory. With respect to compliance with the Library and Archives of Canada Act, two types of information—regardless of format—are created, received, or used in an audit:

  • records, which are kept to support decision-making; and
  • transitory information, which is not retained.

2.75 Records must be retained in our files, whereas transitory information should be discarded as soon as possible after it is no longer needed. Generally, routine entity documents that are reviewed as part of our audit testing would be considered transitory as they are used to prepare a subsequent record in the form of a working paper or note to the file indicating the work or testing that has been performed. A copy of an entity document would become a record if it supported an exception or issue, such as non-adherence to entity policies.

2.76 Additional information regarding audit evidence is available on the Annual Audit INTRAnet site under "Guidance for Managing Audit Records in the OAG."

ANNUAL AUDIT POLICY

In carrying out an annual audit, the audit team should ensure that all records are documented in the audit file.


Responsibility

2.77 Audit plans are only as good as their execution. The auditor is responsible for documenting the nature, timing, and extent of the work performed in executing the plan. The auditor is also responsible for providing a conclusion on the results of its work. Proper supervision and coaching help to ensure that the audit objectives have been met and that a quality audit has been achieved. This is confirmed through file review and other corroborative means. The audit Principal and the individual managing the audit are responsible for ensuring that sufficient appropriate evidence is obtained to support the content of the Auditor's Report.

ANNUAL AUDIT POLICY

The audit Principal and the individual managing the audit should ensure that there is sufficient and appropriate audit evidence to support the content of the Auditor's Report.

2.78 For the annual audit of the Public Accounts of Canada, the Central Team relies on the work performed by the entity teams. Entity teams are responsible for properly planning and executing the audit approach and ensuring that there is sufficient and appropriate audit evidence provided to the Central Team.

Documentation Standards in TeamMate

2.79 The execution of an annual audit must be documented in a manner that complies with generally accepted auditing standards, which requires the procedures performed, evidence obtained, conclusions reached with respect to relevant financial statement assertions, and any related findings to be documented in the audit file. The nature and extent of working papers in the audit file is a matter of professional judgment; however, the audit staff should be guided by the following documentation principles, including the Experienced Auditor Principle discussed at paragraph 1.6:

  • provide evidence essential to support the Auditor's Report;
  • provide a record of the key planning decisions and information that clearly illustrates the nature, extent, and timing of audit procedures performed, the results thereof, and the conclusions drawn from the audit evidence obtained;
  • clearly demonstrate that the work was in fact performed;
  • provide documentation of consultations and disposition of comments;
  • provide documentation of meetings with the entity's management and board of directors;
  • record sufficient information in order that the audit work could be performed again, but no more than necessary;
  • maximize the audit software by fully tailoring the audit programs, which become the record of work done, and minimize documentation requirements;
  • use the "Results" field in TeamMate for the majority of the documentation needs;
  • create separate working papers when necessary (for example, for high-risk areas, audit work based on entity-prepared schedules, a large body of information);
  • avoid putting copies of entity documents in the file if the documents can be described in sufficient detail that they could be obtained from the entity in the future;
  • use scanners on an exception basis to capture client documents electronically;
  • emphasize face-to-face communication among team members to clarify expectations, streamline documentation, and facilitate review; and
  • document issues, including exceptions, only once in the audit file.

2.80 The nature and extent of documentation is not dependent on audit risk and selected audit strategy (i.e. the degree of controls reliance) but on the nature of the audit work performed and the related findings.

2.81 Overall, the documentation should contain sufficient detail (where possible, within the audit program) to enable an experienced auditor, having no previous connection with the engagement, to understand

  • the nature, timing, and extent of the audit procedures performed;
  • the results of the audit procedures and the audit evidence obtained (what evidence was obtained, how it was acquired, and, if necessary, the ability to duplicate the steps using documentation retained by the entity); and
  • significant findings or issues arising during the audit and the conclusions reached thereon.

2.82 During the team planning meeting, the team should agree upon common working practices, including documentation techniques unique to the engagement, for example

  • how lead schedules will be documented and included in the working papers;
  • the nature of issues that should be tracked as exceptions;
  • use of entity prepared schedules;
  • how time will be tracked; and
  • what will be maintained within the electronic audit file and what, if any, in a paper audit file. To the extent possible, the audit team should obtain documentation from the entity in electronic format.

Audit Programs and Audit Findings

2.83 Tailored audit programs are the key to documentation of sufficient, appropriate audit evidence within the electronic audit file. The "Audit Step" field should specify the work to be performed. The objective of the audit step and the related financial statement assertions should also be specified in the appropriate field.

2.84 The "Results" field should be used to summarize the work performed. This may include a list of transactions reviewed if this information is not documented on a separate, but linked, working paper (in order to meet the Experienced Auditor Principle). Copies of entity records should not be retained in the working papers unless one or more of the following conditions exist.

  • The entity does not have a reasonable document retention policy that covers the documents or records involved in the audit.
  • There is a known issue or an area that involves a question of judgment or principle.
  • The computerized system does not retain the details of transactions examined or reviewed.
  • There is concern that a document or record (in electronic form or hard copy) may be amended or altered.
  • It is a record under the Library and Archives of Canada Act.

2.85 The information recorded in the "Background" field is carried forward when the file is rolled over for the next year's audit. Therefore, this field may be used to record information that will assist in the understanding of an audit step and that does not change significantly from year to year (for example, descriptions of relevant systems or control procedures, key entity contacts, or the nature of the items examined.) Special care must be taken for mandatory audit procedures since the "Background" field is automatically replaced with the content of procedures imported from TeamStores.

Exceptions

2.86 Significant issues should be documented in "Exceptions" and linked to the appropriate audit step(s). To avoid unnecessary documentation and ensure timely resolution, team members should discuss the issue with the audit Project Leader, audit Principal, or Director prior to documenting a finding as an exception. Audit observations should also be documented in Exceptions, such as planning points, management letter comments, control(s), summary of unadjusted differences, errors, corrected errors, "other matters" paragraph, authorities, fraud and illegal acts, best practices, accounting policy concerns, and scope limitations.

Hard Copy Information

2.87 The majority of audit work is captured in electronic working paper files, so hard copy working papers should be kept to a minimum.

2.88 In some instances, a small paper file will be required to store original copies of key documents not available electronically. The paper file could be used to retain critical documents such as the final signed financial statements, the management representation letter, the legal letter(s), and any third-party confirmations.

2.89 In other cases, the audit team may choose to scan key hard copy documents into the electronic file. Discretion should be exercised when scanning documents due to the excessive amount of file space required by these images, which considerably slows the replication performance of the file. For lengthy documents, the audit team should identify key pages to be scanned.

2.90 The audit file should not contain copies of draft correspondence and documentation, including draft financial statements, only final documentation. Draft documentation (for example, draft financial statements) should be retained in either the electronic or paper file as necessary to evidence the performance of audit procedures or the reaching of audit conclusions (a record under the Library and Archives of Canada Act). Wherever possible, such procedures should be documented on a separate working paper rather than in draft documents in order to reduce the number of such documents in the file.

ANNUAL AUDIT POLICY

The audit Principal should ensure that information retained in the audit file is essential, meaning that it describes the formulation of the audit plan; explains the nature, extent, and timing of the audit tests and other procedures to be performed; describes the results of the auditor's tests and his/her conclusions thereon; and complies with the Library and Archives of Canada Act.

The audit Principal should ensure that the audit file contains a sufficient level of detail to enable an experienced auditor to understand the audit procedures performed, the evidence obtained, all significant issues and findings or issues arising during the audit, and the conclusions reached thereon (the Experienced Auditor Principle).


Permanent Folder in TeamMate and the Retention of Documents of Ongoing Significance

2.91 The purpose of the permanent folder in TeamMate is to document information that may have significance for more than one year. For example, the following client information and audit working papers that have ongoing significance would be documented and carried forward:

  • background information on the entity and its industry;
  • abstracts or copies of significant contracts or agreements examined to evaluate accounting for significant transactions (such as material agreements with suppliers and vendors); and
  • position papers and consultations supporting significant audit issues.

Teamwork—Briefing, Coaching, and File Review

2.92 Generally Accepted Auditing Standards (GAAS) require that assistants be properly supervised in their work. Accordingly, audit work must be reviewed to ensure that it has been performed in accordance with the approved plan and adequately documented, that findings and conclusions are appropriate, and that any contentious or complex issues have been properly resolved.

2.93 To meet this GAAS requirement, an annual audit is conducted using a "team-based" process characterized by real-time coaching, periodic team update meetings, and file review. This process may be depicted as follows:

Team-based process graphic

2.94 Supervision is an important aspect of quality management. It should be characterized by "real-time" supervision and coaching that builds in quality as the audit unfolds. Using coaching, briefing, and file review techniques, auditors should receive levels of supervision and coaching appropriate to their skills and experience. It is the responsibility of the audit Principal to ensure that all team members receive timely and appropriate direction and supervision.

2.95 Verbal interaction is an important tool for helping to ensure that audits are conducted properly. Audits should involve continuous and ongoing communication among audit team members. The key elements of effective teamwork are

  • briefing;
  • coaching; and
  • file review.

2.96 Briefing meetings embody a two-way communication process where less experienced staff are encouraged to think through the process both at the audit level (involving the whole team), as well as at the task level. Briefings should occur throughout the audit, starting with the team planning meeting during the initial stages of the audit, continuing with regular meetings throughout the fieldwork, and concluding with a team debriefing meeting after the fieldwork is substantially complete.

2.97 The primary purpose of the team planning meeting is to discuss with team members the key audit strategy decisions involving business risk, other inherent risk, and the preliminary audit strategy by business cycle. The team planning meeting is discussed further in Chapter 5—Annual Audit Planning.

2.98 Teams should meet regularly throughout the fieldwork to share information, explain issues, and provide feedback on the progress of the audit. On larger engagements, this communication could take the form of weekly update meetings, whereas on smaller audits, meetings would be less frequent and less formal.

2.99 After the fieldwork is substantially complete, a debriefing meeting involving the whole team provides feedback on all aspects of the audit. This promotes the philosophy of continuous improvement and provides an opportunity to evaluate the overall evaluation of audit performance.

2.100 Coaching involves an interactive one-on-one discussion between a team member and his/her supervisor. The individual being coached is encouraged to think issues through rather than merely following a set of instructions. Coaching occurs on an ongoing basis to assist staff in setting goals, evaluating issues, outlining options, determining action steps, and performing the work. Coaching should occur at all staff levels.

2.101 File review is an essential tool for providing quality assurance to the Office and for teaching purposes. The quality-related benefits of file review are maximized when the reviewer(s) concentrates on matters of significance, while its teaching benefits are maximized when feedback is timely. In order for both of these benefits to be realized, file reviews should be completed by an appropriately senior member of the audit team.

2.102 During file review, the reviewer ensures that all necessary work has been carried out and has been appropriately documented based on the Experienced Auditor Principle. This is achieved through a detailed review of documentation by one reviewer. Evidence of the review should be indicated by electronic signature on the working papers and audit procedures summaries.

2.103 Coaching and file review are conducted on-site by the section supervisors, team leader, and from time to time, the audit Director and Principal. We encourage the use of "review by interview" (discussions between the preparer and reviewer) as a valuable coaching and file review tool. This on-site interaction results in better development of team members as well as more frequent interaction with entity personnel; however, verbal discussions alone are not sufficient. The file reviewer must also perform a detailed review of working papers to ensure sufficient and appropriate documentation of the audit. Timely coaching and file review will result in documentation that is streamlined to reflect the requirements of professional standards and an audit that is as efficient and effective as possible.

2.104 Coaching notes should be used as necessary to facilitate the team-based process. Examples of appropriate coaching notes include follow-up points as a result of a file review, coaching discussions, personal reminders, to-do lists, or lists of outstanding information from entity staff.

2.105 Coaching notes should not be used to document audit evidence. Audit working papers should stand alone as a record of work done in an audit. Matters that have been raised during file review and coaching should be addressed and documented in the working papers.

2.106 The level of detail involved in a review can vary, depending on the audit risk and significance. Each file would normally be reviewed by an individual more senior than the individual who prepared the file, and who possesses appropriate knowledge and experience in the areas subject to review. Most audit areas necessitate only one level of detailed review, whereas higher risk areas generally require two levels.

2.107 Issues should be discussed with the Project Leader and the Principal/Director, as appropriate, as soon as they are identified. This allows issues to be appropriately addressed—which may involve discussion with the entity—and documented at an early stage of the process. Final review should therefore not be a lengthy process, since the Project Leader, Director, and audit Principal are already familiar with the issues.

2.108 The IT Audit Director may review the work of the IT Audit Specialists on the team, depending on the complexity of the IT environment, the nature and extent of IT involvement, and the arrangements with the audit Principal. The audit Principal and/or the individual managing the audit should ensure that they have a sufficient understanding of the IT-related aspects of the audit work performed, the results achieved, and the conclusions reached.

2.109 Approval must also be obtained from the Assistant Auditor General at key stages of the audit, except in those cases where authority to sign the Auditor's Report has been delegated to the audit Principal. Specifically, the responsible AAG must approve the strategic approach to the audit in the Planning Phase and the recommendation for signing the Auditor's Report at the Reporting Phase. The responsible AAG will indicate approval by signing-off the Preliminary Audit Approach by Cycle folder and the Report Clearance Summary in the Reporting and Completion folder of the audit file. Auditors can consult the TeamMate AA Sign-off Checklist to ensure that they obtain appropriate audit approvals.

ANNUAL AUDIT POLICY

The audit Principal should ensure that all working papers are reviewed, on a timely basis, by a qualified member or members of the audit team. The Project Leader should ensure that all coaching notes have been cleared and discarded and that working papers have been updated upon completion of the audit.

Audit of the Public Accounts of Canada

Refer to Practice Statement #8—Multi-Location (Group) Audits

2.110 The annual audit of the Public Accounts of Canada is the largest annual audit in Canada and involves most entity teams in the Office. Therefore, it is important that there is an understanding of how this audit is managed and where general responsibilities lie.

2.111 The Public Accounts audit is the annual examination of the summary financial statements of the Government of Canada. The Office's primary reporting responsibility is to the House of Commons. The objectives of the Public Accounts audit are derived from the Auditor General's responsibilities set forth in section 6 of the Auditor General Act:

The Auditor General shall examine the several financial statements required by section 64 of the Financial Administration Act to be included in the Public Accounts, and any other statement that the President of the Treasury Board or the Minister of Finance may present for audit and shall express [her] opinion as to whether they present fairly information in accordance with stated accounting policies of the federal government and on a basis consistent with that of the preceding year together with any reservations [s]he may have.

Managing the Audit

2.112 The Principal(s) responsible for the Central Team have been delegated responsibility for managing the annual audit of the Public Accounts of Canada. The Central Team Principal(s) are responsible for the overall planning, execution, and reporting of the audit. For practical reasons, some of these responsibilities are delegated to entity Principals, who are responsible for those aspects of the Public Accounts audit touching the entities for which they have day-to-day responsibility (departments, agencies, Crown corporations, or other entities). The entity team Principals provide some of the evidence necessary for the Central Team Principal(s) to complete their work.

2.113 Exact roles and responsibilities are generally outlined in material supplied to the entity teams by the Public Accounts team. The primary source of this information is the Public Accounts' TeamStore of mandatory audit procedures and the annual planning meeting between the Central Team and the entity audit team. Additional information is available from the Public Accounts' team Principal(s).

Methodology

2.114 The methodology outlined in this Manual applies to the annual audit of the Public Accounts of Canada. The Office policies included in this Manual were written from the point of view of managing a single audit engagement of one entity. However, clarification of how Office policies apply to the audit of the Public Accounts of Canada has been provided throughout.

Communications With Audit Entities

General

2.115 Our Auditor's Report is typically addressed to one or more bodies, such as the House of Commons (Public Accounts of Canada), a territorial Legislative Assembly (Public Accounts of the Territories), or the minister responsible for the entity being audited (Crown corporations and most other audit entities). However, we have the most day-to-day contact with senior management of the entities we audit and, where one exists, a body having oversight responsibility for the financial reporting process (such as an audit committee). These parties also have a direct interest in our work, and often are best suited to making use of the "value added" aspects of an annual audit, such as addressing control weaknesses or "other matters" of significance we may identify. It is important that they understand the annual audit process.

2.116 Communicating with entity senior management is one of the important responsibilities of the audit Principal. He/she should communicate the terms of the audit engagement, any matters of audit significance, and the results of our work to senior management and the body having oversight responsibility for the financial reporting process. This information should be provided to our clients in a timely manner.

ANNUAL AUDIT POLICY

The audit Principal should communicate with management of the audit entity and, where one exists, the body having oversight responsibility for the financial reporting process, at key stages of the audit including the Planning and Reporting phases. These communications should be documented in the audit file.

2.117 It is important to ensure that the information conveyed is clear, succinct, and meets the expectations and needs of those to whom it is addressed. Further, we must be sensitive to the fact that any written communication with management may be subject to requests under the Access to Information Act. Accordingly, it is appropriate to have all reports and other significant communication approved by the audit Principal and reviewed by the responsible Assistant Auditor General, unless authority to sign the Auditor's Report has been delegated to the audit Principal. This review and approval should take place before it is given to the audit entity. Such approvals help ensure that our written annual audit products meet appropriate quality standards.

ANNUAL AUDIT POLICY

All reports and other significant communications with the audit entity (such as reports to the audit committee and management letters) should be approved by the audit Principal and reviewed by the responsible Assistant Auditor General, unless authority to sign the Auditor's Report has been delegated to the audit Principal, before they are presented to the entity.

2.118 The OAG Official Languages Policy states that "the OAG will ensure that the public can communicate with its offices and obtain services, orally and in writing, in both official languages in accordance with the Official Languages Act" and that "all publications and memoranda, including information posted on the OAG Internet website, which are intended for the public, shall be published simultaneously in both official languages."

2.119 If the entity formally communicates in writing that it requires communications to be provided in one language or the other, then the OAG is not required to communicate in both official languages.

ANNUAL AUDIT POLICY

The audit Principal should ensure that all "official communications" with the entity (for example, Auditor's Report, engagement letters, solicitor/client letters, and post-audit survey letters) are provided in both official languages.

2.120 The OAG Official Languages Policy also states that "communications with members of the Public Service of Canada and of entities audited by the OAG shall take place in their language of choice." In their day-to-day dealings with clients, auditors should therefore communicate with the audit entity in the entity's language of choice and, if requested, should be ready to communicate in both official languages.

Public Accounts

2.121 For the annual audit of the Public Accounts of Canada, the term "audit entity" has three possible meanings in the above two policies. Application of the policy differs with each meaning.

"Audit entity" refers to . . .
Apply policy as follows . . .
 . . . a separate department, agency, Crown corporation, or departmental corporation that an entity team is responsible for auditing. The entity team Principal and the responsible Assistant Auditor General should communicate with these entities.
 . . . the Government of Canada, specifically the Treasury Board of Canada Secretariat, the Department of Finance Canada, and the Receiver General for Canada, who are jointly responsible for preparing the summary financial statements. The Central Team Principal(s) and the responsible Assistant Auditor General should communicate with these entities.
 . . . the Public Accounts Committee (PAC). The Central Team Principal(s) and the responsible Assistant Auditor General are responsible for drafting all communications with the PAC, which must be approved by the Auditor General before being finalized and delivered.

Consultation

2.122 An important element of every annual audit is the informal and formal consultation that takes place within audit teams and between audits teams and specialists. When dealing with complex, unusual, or unfamiliar issues, audit teams are required to refer to authoritative literature and/or seek the assistance of Office specialists with appropriate competence, judgment, and authority, and external specialists when warranted.

2.123 It is also appropriate to consult in regard to more commonplace situations. For example, it is important that we strive for consistency, to the extent considered appropriate, in such areas as:

  • terms of engagement with our audit entities;
  • accounting policies for similar transactions;
  • our expectations with respect to compliance with authorities and regarding "other matters";
  • Office positions on issues that are conceptually similar; and
  • wording of our Auditor's Reports.

2.124 Achieving this consistency across our audit practice, however, with approximately 140 separate opinion annual audits, is beyond the practical capability of individual audit teams. Consequently, we need to rely on individuals with specialized knowledge and experience in these and other areas. Working with these specialists is another aspect of consultation that is important in order to meet the expectations of our Quality Management System.

2.125 The specific circumstances that should lead to consultation with Office specialists, the expected timing of such consultation, and the related Office policies are described in Chapter 8—Consultation.

Procedures to Resolve Differences of Professional Opinion

2.126 From time to time, significant disagreements may arise between team members, audit Principals, and others (such as the Quality Reviewer or specialists). These disagreements must be addressed on a timely basis. Normally, disagreements are resolved directly. This may include discussion, research, and consultation with other knowledgeable parties. Most disagreements arise from simple miscommunications that can be quickly rectified.

2.127 If a disagreement cannot be resolved through discussion, the issue would be documented by both parties and presented for arbitration to the Product Leader or other knowledgeable person from within the Office or to an external and suitably qualified person, as appropriate. The arbitrator must consider the matter on a timely basis and, after consultation with the parties involved, make a determination. If the matter is complex or highly technical, additional input would be sought as necessary. The arbitrator will summarize the matter in writing and provide the factors used in reaching a decision. The decision should then be communicated to the parties involved.

2.128 If there is dissatisfaction with the arbitrator's decision, either party can make a final appeal to the Assistant Auditor General or Auditor General. This step would be treated seriously and taken only where there is concern about an inappropriate opinion being provided on financial statements, or where there are other ethical or significant risks to the Office that must be addressed. The appeal process is the final recourse available within the Office.

Refer to Practice Statement #6—Quality Control Review and Differences of Opinion

ANNUAL AUDIT POLICY

The audit Principal should ensure that differences of professional opinion are addressed on a timely basis, following a three-step process: direct settlement; arbitration; and appeal.

The audit Principal should ensure that the nature and scope of conclusions resulting from the differences of opinion resolution process are documented and agreed to by all parties consulted before issuing the Auditor's Report.

Access to Entity Information

2.129 The Auditor General Act and the Financial Administration Act provide for access to information necessary to fulfill the Auditor General's responsibilities under the acts. The acts entitle the Auditor General to free access at all convenient times to this information. The Auditor General is also entitled to receive from members of the public service and Crown corporations, where he or she is appointed auditor or special examiner, such information, reports, and explanations as he or she deems necessary. The Auditor General decides the nature and type of information needed to fulfill the responsibilities set out in legislation. These are very strong provisions, which prevail against all other acts of Parliament, unless they expressly limit access and refer to the appropriate sections of the Auditor General Act. Further details on this can be found on our INTRAnet in the section "Guidance for the Access to Entity Information."

2.130 Solicitor-Client Privilege protected documents. By agreement between the Office and the Department of Justice, a particular process is used to access documents that are subject to solicitor-client privilege. The process is a result of the decision of the Federal Court in the Professional Institute of the Public Service of Canada (PIPSC) case. The Federal Court concluded that because an audit entity had voluntarily surrendered documents to the Office that were protected by solicitor-client privilege, the privilege attached to the documents had been waived by the entity.

ANNUAL AUDIT POLICY

For each annual audit, the audit Principal will ensure that a solicitor-client letter has been sent to the entity.

2.131 As part of the agreement with the Department of Justice, the responsible AAG sends a letter to the entity in the required form. The letter states that access to solicitor-client protected documents is compelled by the Office under the Auditor General Act or the FAA and therefore release of the documents to the Office does not constitute a waiver of privilege by the entity. This allows the entity to preserve the privilege while meeting the information needs of the Office.

2.132 When requesting access to documents subject to solicitor-client privilege, the audit Principal will exercise judgment and ensure that only information essential to the audit is requested.

2.133 Office requests for Cabinet documents. Required information may sometimes be contained in Cabinet documents, which are confidences of the Queen's Privy Council of Canada. These documents are classified "secret" and are among the most sensitive documents held by the government. They include submissions to and decisions by Cabinet and Cabinet committees, including the Treasury Board. Requests to obtain these documents must come from the audit Principal and are handled by Legal Services.

2.134 Restrictions to access. Government officials recognize their obligation to cooperate with the Office and normally provide information on request. Staff encountering problems with access should not agree to any restrictions on the right to information without consulting the Access to Entity Information specialist and the AAG. Denial of access to information constitutes a serious matter that is normally reported to the House of Commons.

Security of Information

2.135 The Office meets the highest standards of professionalism and integrity and seeks to develop a relationship of respect and trust with its clients. An important ingredient of those standards and principles is the security and confidentiality of both client and OAG information.

2.136 The Code of Values, Ethics, and Professional Conduct requires that all staff be familiar with the security aspects of their work, accept security as an important individual responsibility, and follow the principles set out in the Security Policy and Guidelines issued by the Office.

2.137 The Security Policy and Guidelines indicate that audit Principals are responsible for

  • acquiring an understanding of the security classification system in their audit entities;
  • communicating the requirements to team members; and
  • ensuring that the safeguards for the storage of and access to information are equal to or higher than those required by the audit entity.

Access to Audit Files

2.138 Audit files are the property of the Office, and the information they contain is not generally available to others. Information obtained or created by the Office in the course of an audit conducted by the Office or under its authority is exempt from disclosure in response to access to information requests. Audit files may contain sensitive information about the audit entity that needs to remain strictly confidential (for example, information protected by solicitor-client privilege, or the entity's evaluation of its prospects for collecting specific customer receivables). Audit files may also contain information about our own assessments and evaluations of potentially sensitive accounting and auditing matters that could be misinterpreted if read out of context. Additionally, files could contain classified information requiring security clearance levels in excess of those seeking access. For these reasons and others, access to Office files is normally restricted to OAG personnel requiring access.

2.139 Access to our audit files by external parties is normally provided in the following circumstances only:

  • when a successor auditor has been appointed, or when a new joint auditor has been appointed. This is normal professional practice where the interests of the client are best served by full cooperation between predecessor and successor auditors. Before any access is granted, there should be a clear understanding, in writing, of the terms and conditions under which access is granted. Successor auditors would normally be supervised as they conduct their review work on our files;
  • as joint audits are being conducted. In such arrangements, both auditors are jointly and severally responsible for the audit. It is normal practice for all key sections of the files to be reviewed by both sets of auditors to ensure that there is sufficient and appropriate audit evidence to support the audit opinion;
  • when our audit files have been subpoenaed as evidence in litigation. Our audit files can and have been used as evidence in cases of litigation. Legal Services would normally be responsible for providing the subpoenaed information as and when required;
  • at the client's request. Occasionally, our clients request access to our audit files. Typically, this relates to requests from internal audit or from managers wishing to be provided with our descriptions of their accounting systems. In these situations, the audit Principal should attempt to satisfy the client's request through means other than review of our audit files, providing such information does not undermine the independence of the Office or audit team members; and
  • for external inspections conducted by the provincial institutes of chartered accountants. In these cases, access is coordinated through the Practice Review and Internal Audit Group in Ottawa, and otherwise through the regional Principals.

2.140 The audit Principal is responsible for dealing with the issue of access to audit files and for ensuring that appropriate security practices are adhered to, should access be granted. Consultation with the responsible Assistant Auditor General and with Legal Services should be considered where circumstances warrant.

Complaints and Allegations

2.141 The Office could be the target of complaints and allegations of failure to comply with the professional standards, regulatory and/or legal requirements, including non-compliance with the Office's audit Quality Management System. The Office provides a formal complaint mechanism to address the failures outlined above. It does not provide a means to question and challenge audit results and findings or the professional judgment underlying them.

2.142 Audit entities, third parties, members of the public, and employees of the Office can submit a complaint or allegation in writing by mail or via email to the Deputy Auditor General. Information on how to file a complaint is provided through the Office website. Although the Office accepts all anonymous complaints and allegations, they are generally more difficult to investigate and no response will be communicated on action taken.

2.143 The formal mechanism defines the rights and responsibilities of the involved parties, including the right of both parties to an expeditious resolution of the complaint, normally within 90 days of filing. There is no retaliation by the Office or by its Executive Committee against any Office employee, audit entity, or third party for making a complaint in good faith. Confidentiality is maintained throughout the investigation process to the extent practical while taking into account the particular circumstances and any applicable legal obligations. For additional discussion on implementation of the complaint mechanism, refer to the Complaints and Allegations Practice Advisory on the INTRAnet.

Guidance and Tools

2.144 The Office methodology as described in this Manual is supported by a number of other sources of audit software tools, written guidance, and other materials. A brief explanation of each is provided in the following table.

Audit Software Tools


TeamMate
TeamMate is an electronic toolset used to document our audits. The Annual Audit Library, along with the Mandatory Audit Procedures, provides the basic audit file structure with the audit steps common to all annual audits.
TeamStores

TeamStores is a comprehensive database of audit procedures and work papers accessible from any TeamMate file. The Annual Audit TeamStore contains two distinct cabinets: AAPT Mandatory Audit Procedures and AAPT Optional Audit Procedures.

The Optional Audit Procedures apply to common financial statement components; unique aspects relating to the audits of financial-type institutions; testing internal controls; and other purposes. These steps and any accompanying guidance are imported into the audit file when creating tailored audit programs for specific financial statement components of the audit.

IDEA
IDEA assists auditors in extracting and analyzing data from client files, as well as in the planning, extraction, and evaluation of statistical samples.

Written Guidance


Team Audit GuidanceMate
Audit guidance has been developed to provide direction to staff in selected areas, particularly those related to executing and reporting the audit. The guidance is more detailed than the material provided in this Manual. The Annual Audit INTRAnet site offers guidance on such topics as control testing, management and monitoring controls, and analytical procedures.
Practice Advisories

Annual Audit Practice Advisories inform attest practitioners of changes to attest methodology, policies, and standards. AAPT regularly prepares Practice Advisories to communicate changes in professional standards, policy, methodology, guidelines, and tools. From time to time, certain Special Practice Advisories for All Product Lines are issued by the Professional Practices Group. Certain special advisories may contain information applicable to annual audit practitioners.

Templates
These documents and forms assist the auditor in completing all phases of the annual audit. Templates include material such as standard confirmation letters, engagement letters, solicitor-client privilege letters, management representation letters, and reports to audit committees (or equivalents).These templates are available on the Office's Annual Audit INTRAnet site.
Public Accounts (Section 6) Area in the Annual Audit INTRAnet Site
This database is available through the Annual Audit INTRAnet site. It provides access to all guidance, tools, and other specialized material applicable to the annual audit of the Public Accounts of Canada.
Entity Sites on the Annual Audit INTRAnet Site
The Office maintains Entity Sites on its Annual Audit INTRAnet site to help teams develop their knowledge of audit entities and to retain our Cumulative Audit Knowledge and Experience (CAKE).
One Pass Planning (OPP)
The One Pass Planning INTRAnet site (under "Audit") and the background tabs and attachments in TeamMate provide a wealth of guidance on OPP, including articles on risk management, reporting templates, and guidance on completing and documenting an OPP.
Internal Specialists' Sections on the INTRAnet
OAG internal specialists are available to audit teams to provide consultation and expert advice on audit areas requiring specialized knowledge. The Office maintains information on the INTRAnet that provides auditors with references and guidance on areas requiring specialized knowledge, such as financial instruments, information technology, and wrongdoing and fraud.

Other Materials

2.145 More general guidance materials are available from the Knowledge Centre, while specialized guidance may be obtained through OAG internal specialists.

3 Engagement Management

3.1 Engagement Management is the first of the five main audit activities and includes establishing and communicating the terms of engagement; performing client acceptance and continuance activities; addressing independence requirements; and establishing staff performance and development objectives.

Terms of Engagement

3.2 The annual audits we conduct of the Public Accounts of Canada, the Territories, Crown corporations, and other entities are designed to provide our opinion to readers on the fair presentation of the financial statements. Further, as Parliament's auditor, we have additional responsibilities conferred on us with respect to reporting on compliance with legislative authorities, and a general duty to also report on any "other matters" that, in our opinion, should be brought to the reader's attention. Accordingly, these legislative responsibilities must be explicitly taken into account in the Planning, Execution, and Reporting phases of the audit.

3.3 In all of our engagements, the Office and the audit entity should share a common understanding of the terms of the engagement, related to both our statutory audit work and any other work that may be performed.

3.4 Many of our audit engagements are statutory and of a long-standing nature. Even though we may believe that our audit entities have a clear understanding of the nature of our audit work, it is still important to set out, in a clear and unambiguous manner, the significant aspects of the terms of engagement. Communicating this information to senior management and to those having oversight for the financial reporting process helps them to discharge their responsibilities and confirms their understanding of what is involved in an audit.

3.5 Communication of this information is accomplished through an engagement letter and a report to an audit committee (or equivalent). Management, on behalf of the entity, confirms its understanding of, and agreement with, the terms of the engagement by signing the written agreement documenting the terms of the engagement, and returning a signed copy to the auditor.

Refer to Practice Statement #7—Preconditions for an Audit

ANNUAL AUDIT POLICY

The audit Principal should ensure that the terms of reference for the audit engagement, significant features of the audit scope, and the responsibilities assumed are clearly set out in an engagement letter and included in a formal written communication to an oversight committee, if one exists.

3.6 For the annual audit of the Public Accounts of Canada, the Central Team is responsible for establishing and communicating the terms of the engagement with the Government of Canada, specifically the Treasury Board of Canada Secretariat, the Department of Finance Canada, and the Receiver General for Canada, who are jointly responsible for preparing the financial statements.

Monitoring and Assessing Risks Associated With the Acceptance and Continuance of an Engagement With an Entity

3.7 Practitioners are expected to monitor and report to their AAG on developing activities in the organizations they audit that may result in a new or changed mandate that the Office of the Auditor General may be asked to undertake.

3.8 The Office requires reasonable assurance that its practitioners identify and assess potential sources of risks associated with an entity relationship or a specific assurance engagement. The Office shall not accept or undertake an engagement if there are constraints that would prevent the completion of the engagement in accordance with professional standards or regulatory and legal requirements. In light of this, the responsible AAG and Principal should consult with the Product Leader. Necessary information shall be obtained before accepting a new assurance engagement or continuing to provide assurance services to an entity.

3.9 The following criteria shall be reviewed and documented to assess potential risks associated with the acceptance and continuance of an assurance engagement.

  • Risk of association. This relates to assessing the risk to the Office of becoming associated with the prospective entity, particularly relating to professional independence and integrity. Consider whether independence can be established and maintained (see Practice Advisory on Independence and documenting and addressing threats to independence on the INTRAnet) and whether any potential conflicts of interest exist that could jeopardize the Office's independence. Where such a conflict is identified, the Office would need to reconsider whether to accept the engagement or reappointment where we have discretion to accept or decline the engagement or where we have no discretion, determine and document how we are planning to address this conflict.
  • Competence of the audit team. The Office has an obligation to Parliament, audited organizations, and other stakeholders to ensure that audits are conducted by competent personnel. The audit team must therefore possess, individually or collectively, the knowledge, disciplines, skills, and experience to carry out the audit. This applies to any specialists that are contracted to assist the team. The availability of quality reviewers and internal specialists is also an important consideration before accepting a new assurance engagement, as well as the Office's ability to meet the reporting deadline.
  • Knowledge of the prospective entity. Obtain an understanding of the nature of the entity's operations, including its business practices. This normally includes an understanding of the business or legislative environment in which the entity operates and the operating characteristics of the entity, such as the nature of its revenues (or products), sources of financing, and administration. Upon acceptance of an engagement, audit teams must have reviewed relevant documentation about the prospective entity to ascertain that they have systems and practices in place to allow an assurance engagement to be performed and that the conclusion can be meaningful to intended users of the Office's report.
  • Management integrity. Teams must assess the management integrity of the prospective entity, including their willingness to provide meaningful disclosures and representations during the engagement. Teams must also carefully consider any matters that may negatively reflect on management's integrity, such as their attitude towards the internal control environment and any indication that they may pursue an aggressive interpretation of accounting standards. Finally, an audit team must consider management's response to observations and recommendations for operational improvements conducted by any previous auditors and/or internal audit.
  • Relationship with other auditors. If applicable, assess the relationship with previous auditor(s) and/or any internal audit. Communicate in writing with the previous auditor(s) to ascertain whether there are any circumstances the Office should take into account that might influence the Office's decision to accept the assurance engagement.

Approval Process and Documentation for Engagement Acceptance and Continuance

3.10 Discretion regarding acceptance and continuance of assurance services may not be an option for the Office because the service is required pursuant to an act of Parliament. In this instance, a formal review and approval by the Executive Committee is not required unless the responsible practitioner and AAG, in consultation with the Product Leader, determine that a material risk exists with the Office accepting or continuing an engagement.

3.11 With respect to new mandates where the Office has discretion to accept or decline the engagement, review and approval by the Executive Committee is required. The Office also has flexibility in interpreting and applying some aspects of its mandate. For example, the Office has a broad mandate to conduct audits of Crown corporations and their subsidiaries but, in some instances, it may choose not to do so.

Refer to Practice Statement #7—Preconditions for an Audit

Documenting Engagement Acceptance and Continuance

3.12 Regardless of whether issues have been identified, the decision-making process concerning the acceptance and continuance of assurance services shall be adequately documented. This includes a synthesis of the entity acceptance documents collected, interview notes, and a rationale for the decision taken. Information collected and conclusions reached during the assessment of potential risks associated with the assurance engagement on competence of audit team members, knowledge of the entity, and management integrity shall form part of the briefing notes to the Executive Committee and Legal Services, in addition to resource and funding requirements.

3.13 Under the leadership of the Principal, the audit team should prepare an engagement letter outlining the decision to accept or continue the assurance engagement, as well as the terms and conditions of the engagement. In addition, the Principal should ensure that the audit team has placed all documentation and records in the appropriate audit file.

3.14 If a decision is made to decline an engagement or to discontinue an assurance engagement, the audit team, under the leadership of the Principal, should place all documentation and records of decision in the permanent file.

ANNUAL AUDIT POLICY

Where requests for assurance engagements are received and where we have discretion to accept or decline the engagement, or where a material risk has been identified in a continuing engagement, the responsible entity Assistant Auditor General or Principal should

  • use the prescribed risk assessment criteria to create a briefing note for the Executive Committee detailing the rationale for acceptance and/or continuance or non-acceptance and/or discontinuance;
  • obtain approval from the Executive Committee before making any commitment to the prospective entity; and
  • refer requests to Legal Services for authority under section 11 of the Auditor General Act and/or under the Financial Administration Act.

Independence Issues

3.15 Although inherently the Office has a significant degree of independence from its audit clients, it is nevertheless important to take appropriate steps to ensure that individual audit team members are (and are perceived to be) independent and objective. Office guidance on independence is available on the Annual Audit INTRAnet site and addresses the following topics:

  • the various threats to independence (Self-Interest, Self-Review, Advocacy, Familiarity, and Intimidation);
  • Staff Awareness, Acceptance and Continuance, Referrals to Legal Services, Disagreements, and Discipline;
  • the roles and responsibilities related to independence matters for the AAG Professional Practices, the AAGs, the audit Principals, Human Resources and Professional Development, and the Legal Advisor;
  • considerations about the independence of the Office; and
  • steps to ensure independence of engagement team members.

3.16 Annually, and prior to the commencement of work on an engagement, all audit professionals are required to assess and address threats to independence, including completing and documenting within TeamMate their Assurance Engagement Report on Independence.

3.17 Audit professionals on an engagement include the audit professional(s), audit Project Leader(s), Director(s), Principal(s), Assistant Auditor General, Deputy Auditor General, members of the Annual Audit Practice Team, and other specialists, including contractors and the Quality Reviewer as applicable.

ANNUAL AUDIT POLICY

The audit Principal should obtain a confirmation of independence for each audit professional participating in an audit regardless of line of service or the amount of time charged to the engagement.

An individual's confirmation of independence should be completed and documented in the file prior to the individual commencing work on the engagement. Threats to independence should be considered, assessed, and documented throughout an assurance engagement.

3.18 The audit Principal should consider whether rotation of personnel on the engagement may be desirable in order to guard against the familiarity threat to independence and ensure continuing objectivity of the audit team. Guidance on job rotation is available on the Annual Audit INTRAnet site. If rotation is desirable but not practical for a team member, the audit Principal should consider how any associated risk should be addressed. It is good practice to ensure that the client is informed of an anticipated change in key audit staff.

3.19 Decisions regarding the rotation of the Office's most senior staff, such as Principals and Assistant Auditors General, are made by the Auditor General, the Executive Committee, and/or the responsible Assistant Auditor General, as appropriate in the circumstances.

ANNUAL AUDIT POLICY

For large entities that have debt sold publicly, senior personnel (Assistant Auditor General, Principal) should not normally be part of the same engagement team for more than five consecutive years, and should not thereafter resume or assume this role until a further five years have elapsed.

For entities other than the ones mentioned above, senior personnel (Assistant Auditor General, Principal) should not normally be part of the same engagement team for more than seven consecutive years and should not thereafter be part of this team until a further two years have elapsed.

Staff Performance and Development Objectives

3.20 Performance and development objectives should be set for all staff prior to commencement of the Execution Phase of the audit. The appropriate sections of the Assignment Planning and Assessment Form should be completed for each staff member. The staff goals and objectives should be prepared using the "SMART" guideline:

  • Specific—Is it clear, specific, tangible? Does the employee know what to do to achieve this objective?
  • Measurable—Is it measurable? At any time, can employees find out how far they've come and how far they have to go? Any quantity or quality reference points?
  • Ambitious—Does it require stretching? Is it something the person could be proud to have tried or achieved?
  • Reachable—Is it realistic, achievable, ambitious but reachable? Are there special circumstances?
  • Time-bound—Does the objective have a deadline? Are there milestones?

3.21 In order to prepare SMART objectives for staff, the following items should be developed and used as input:

  • audit timetable;
  • audit task plan; and
  • audit time budget.

Consistent Application of Accounting Principles

3.22 Generally accepted accounting principles require entities to provide disclosure of changes in the application of accounting principles. If an entity has complied with this GAAP requirement, then generally accepted auditing standards would not require the auditor to report on this matter. Accordingly, in establishing the terms of engagement for a specific entity, we would not include a requirement to report on the consistent application of accounting principles unless it is required by legislation.

3.23 The basis for preparation of financial statements and our report thereon is often established in legislation. For federal Crown corporations, section 132 (2) of the federal Financial Administration Act requires the auditor to report on whether the financial statements are presented fairly in accordance with generally accepted accounting principles applied on a basis consistent with that of the preceding year. Accordingly, we have a requirement to report on the consistent application of accounting principles for Crown corporations subject to section 132 (2) of the FAA.

4 Knowledge of the Entity and Risk Analysis

Refer to Practice Statement #8—Multi-Location (Group) Audits

4.1 Knowledge of the Entity and Risk Analysis is the second of five main audit activities of our audit approach and requires the auditor to develop Knowledge of the Entity and Its Environment, develop Knowledge of the Entity's Internal Controls, and consider Fraud and Other Risk Factors sufficient to identify risks of material misstatement for further consideration.

Knowledge of the Entity and Its Environment

General

4.2 Our audit approach requires the audit Principal and the Director to maintain a high degree of understanding about the entity and its business environment. Their combined cumulative audit knowledge and experience is the basis for building and documenting an appropriate level of understanding of the entity, its environment, and the related risks of material misstatement.

4.3 We update our knowledge of the entity and its environment on a yearly basis for the annual audit, and in more depth on a cyclical basis for One Pass Planning or when we perform a special examination. The annual update involves interviews with senior entity officials and reviews of relevant documents prepared by the entity and others, analytical procedures, and observation and inspection. In the years when an OPP is completed, these interviews would generally be expanded to include external stakeholders and others, such as industry specialists. The update process helps the audit Principal and Director to identify and understand the areas of risk to the entity, assess the risk of material misstatements in the financial statements, and, ultimately, to direct audit effort accordingly.

4.4 Our methodology requires audit teams to perform and document certain activities in connection with developing their Knowledge of the Entity and Its Environment. These activities have been included in TeamMate to provide audit teams with the necessary framework to develop their Knowledge of the Entity and Its Environment.

Summary of the Entity and Entity Profile

4.5 We prepare our Summary of the Entity and Entity Profile for the purpose of documenting our cumulative knowledge of the entity. As required by our audit approach, we develop an understanding sufficient to identify the risks of material misstatement of the financial statements. While the entity summary and entity profile may not specifically result in identification of specific risks of material misstatement, we consider potential risk factors as we develop our understanding and perform other risk assessment procedures within the context of this understanding.

Review of Minutes and Key Entity Documents

4.6 Other sources for developing our understanding of the entity's objectives and strategies and related business risks include a review of key entity documents by the Principal and/or Director, starting with the entity site on the Office's INTRAnet. At a minimum, the following documents should be reviewed, if available:

  • enabling legislation;
  • other legislation the entity is responsible for administering/enforcing, including international agreements;
  • relevant regulations, directives and key Treasury Board Decisions;
  • Annual Business Plan (e.g. Corporate Plan, Report on Plans & Priorities, Strategic Plan, Sustainable Development Strategy);
  • minutes of the Board of Directors or Executive Management meetings;
  • entity's own Risk Framework;
  • selected internal audit reports;
  • key information from the entity's own public website; and
  • annual report/performance reports.

4.7 Most entities are required to prepare and document annual business plans. The entity's annual business plan (its corporate plan or report on plans and priorities) typically provides a wealth of relevant information. These plans, or some variant, are prepared annually by departments, agencies, Crown corporations, and most other entities for which the Office conducts annual audits.

4.8 The plan will normally describe the entity's assessment of the risks and opportunities of its business environment, as well as its strategies for dealing with them and achieving its statutory goals and objectives. A review of most entities' annual business plan should be considered an essential pre-requisite to obtain an understanding of the entity's business risks.

4.9 When reviewing the full corporate plan of Crown corporations, it is important to note that Office security practices require that this be done on corporate premises. Normally, the auditor would not retain a copy of the full plan, even if it is appropriately secured.

4.10 Another important document that should be reviewed for government departments and agencies is their results-based management and accountability framework (RMAF). The plans and priorities of these entities, as well as their performance reports, are based on their RMAF, which must be approved by Treasury Board.

Refer to Practice Statement #9—Laws and Regulations in an Audit of Financial Statements

Interviews With Entity's Senior Management and Key Stakeholders

4.11 The audit Principal and Director should attempt to meet with the entity's president, deputy minister, chief executive officer/chief operating officer, and other senior officials such as assistant deputy ministers, vice-presidents, the senior financial officer, and others as appropriate. This provides the audit Principal and Director an opportunity to understand the views of those responsible for managing the business affairs of the organization. Specifically, the meetings should address the following issues:

  • understanding the entity's business objectives;
  • management's view on its significant business risks, and the steps taken to identify, manage, and monitor the business risks it considers most significant;
  • management's understanding about the risks of fraud in the entity, including its knowledge of any fraud that has been perpetrated or any alleged or suspected fraud;
  • key elements of the entity's long-term strategic plan linking the entity objectives to the expected corporate results;
  • organizational values and standards of conduct and how they are supported by corporate policies, guidance, monitoring, and enforcement;
  • the organizational structure and the corresponding assignment of responsibilities and how this helps the entity to carry out its business objectives;
  • the risk tolerance of the organization in terms of the types of risks it can tolerate; and
  • such other issues as time permits (for example, the individual's views on the significance to the entity of its audit and review function, its accountability measures, performance reporting to Parliament, human resources issues, compliance with governing authorities, environmental issues, the adequacy of its financial resources, and the significance of IT solutions to its long-term objectives.)

4.12 The responsible Assistant Auditor General should always be made aware of the schedule for senior executive interviews so that he or she can attend those of interest.

4.13 The audit Principal and Director should also meet with other senior entity officials outside the finance area. At a minimum, discussions/interviews should be conducted annually with the following individuals:

  • head, internal audit;
  • head, human resources;
  • chief information technology officer;
  • integrated risk management operations officer;
  • relevant operational and support managers; and
  • others within the entity who may be questioned by the auditor about the existence or suspicion of fraud.

4.14 The most senior member of the audit team with specialized IT knowledge and experience would normally accompany the group interviewing the entity's chief IT officer. In entities with complex IT environments or where operations are heavily IT-dependent, it may be appropriate to have a senior IT Audit Specialist attend the interview as well.

4.15 Prior to conducting any meetings with senior entity officials and external stakeholders, the audit Principal and Director should familiarize themselves with the previous year's audit.

4.16 After interviewing these officials, the audit Principal and Director should have a broad, strategic understanding of the entity's operations, business lines, and overall control environment. They should also be able to identify internal and external challenges, opportunities, and risks; understand what steps are taken by the entity to address them; identify those risks that appear to be well managed; and identify those areas where major control weaknesses may be evident.

4.17 Interviews with senior officials and a review of key documents should allow the audit team to identify the entity's objectives as well as risks to achieving those objectives. Knowing the entity's objectives helps the audit team to clarify what the organization believes it needs to accomplish in order to achieve its mandate. This understanding of the entity's objectives and its strategies for achieving its objectives is critical to identifying business risks that can result in material misstatement in the financial statements.

4.18 The audit team is expected to document all identified aspects of risks in the Knowledge of the Entity and Risk Analysis section of TeamMate. These aspects include objectives and strategies; industry, regulatory, and other external factors (business risks); the nature of the entity; the entity's selection and application of accounting policies; and measurement and review of the entity's financial performance through analytical review.

4.19 Business risks that impact the fairness of the presentation of the financial statements and other risks of material misstatement should be summarized on the Audit Risk Assessment form in TeamMate. This form is used to document all potential risks identified and to determine which of those are assessed as significant risks and require special consideration for the current audit. See Chapter 5—Annual Audit Planning for additional discussion on assessing the significance of risk.

Knowledge of the Entity's Internal Controls

General

4.20 Our audit approach requires us to perform appropriate activities to understand the entity's internal controls. Here, we focus on understanding the entity's internal controls for the purpose of assessing potential risks of material misstatement of the financial statements.

4.21 Understanding internal controls requires us to evaluate the design and implementation of relevant internal controls. There are five components of internal control as defined in Canadian assurance standards:

  • the entity's risk assessment process;
  • the control environment;
  • the information system, including business processes relevant to financial reporting and communication;
  • control activities; and
  • monitoring of controls.

4.22 Evaluating the design of a control involves considering whether the control, individually or in combination with other controls, is capable of effectively preventing, or detecting and correcting, material misstatements. Implementation of a control means that the control exists and that the entity is using it.

Entity's Risk Assessment Process: Enterprise Risk Management by the Entity

4.23 We develop our understanding of the entity's risk assessment process for two reasons. The first is to identify additional business risks that management has considered but we have not. The second reason is to understand the entity's risk assessment process as a component of internal control. As such, we review the risks identified within the Enterprise Risk Management (ERM) to identify risks we have not yet considered and then we evaluate the design and implementation of the ERM against the typical control objectives of a standard risk framework.

4.24 A risk framework is an integrated, structured approach to the identification and management of risk (including business risk). Its objective is to ensure that all major business risks are identified and that a procedure is in place to continuously monitor the risk profile of the organization in order to identify any changes in the entity or its environment that might require changes to risk management practices. Departments and agencies are required under Treasury Board policy to establish a risk framework.

4.25 A risk framework could go by a number of names and comprise a number of components. Risk frameworks that have been prepared by the entity will greatly assist the auditor in determining the business risks of the entity, identifying the mitigating controls to address those risks, and assessing potential financial statement impacts.

4.26 Generally speaking, a well-developed integrated risk framework exhibits the following characteristics (see Treasury Board guidance on the development of an Integrated Risk Management [IRM] framework on the Treasury Board website):

Establish the bureau framework graphic

4.27 Other documents may also be relevant and should be reviewed as applicable. Examples of other information that may contribute to a more comprehensive understanding of the entity's business and risks include

  • analyses of changes in the economic situation of the entity's clients or stakeholders;
  • analyses of changes in the entity's major competitors and/or its key suppliers;
  • significant economic developments affecting (or potentially affecting) clients and/or stakeholders of the entity, both domestic and internationally;
  • Parliamentary interest in the entity's operations;
  • internal audit reports that have been issued in the year;
  • the OAG's Environmental Petitions Catalogue and Sustainable Development Strategy Commitments database; and
  • newspaper or magazine articles related to the entity or its business.

The results of the evaluation of the risk framework may identify risks of material misstatement for further consideration.

Control Environment

4.28 The control environment reflects entity level controls such as management's philosophy, attitude, and demonstrated commitment to establishing a positive atmosphere for the implementation and execution of well-controlled operations. An understanding of the control environment is critical to making informed judgments about the broad level of risk of material misstatement in the entity's financial statements (or other performance information reports) and to assessing whether the entity's control environment appears to be conducive to a reliance on controls audit approach.

4.29 For all of our audits, we complete an overall assessment of the control environment as well as evaluate the nine principal objectives of the control environment. The results may lead to the identification of additional risks of material misstatement and/or play a role in determining whether an audit strategy based on reliance on controls is appropriate. We take a comprehensive, entity-wide perspective of controls when determining the impact of our overall assessment on our audit strategy.

4.30 The nine principal control objectives that should be evaluated in connection with developing our understanding of the control environment are as follows:

  • communication and enforcement of integrity and ethical values;
  • commitment to competence;
  • participation by those charged with governance;
  • management's philosophy and operating style;
  • assignment of authority and responsibility;
  • human resource policies and practices;
  • environment;
  • internal audit; and
  • information technology.

4.31 The nature of the information required to complete this section, though not highly detailed, requires the broad perspectives and insights of senior members of the audit team. The audit Principal should ensure that previous performance audits, One Pass Plans, special examinations, and annual audit findings, as appropriate, are given due consideration when assessing each control objective.

4.32 To assist in assessing each control objective, a list of questions for consideration has been developed. These points largely relate to high-level management and monitoring controls. Most entities will not have, and should not be expected to have, all of the suggested controls. The absence of some controls does not mean that a reliance on controls approach cannot be followed.

4.33 When identifying potential risks and assessing the control environment, audit Principals should consider any mitigating factors for observed weaknesses, as well as the strengths noted. They should also consider the significance of the particular control objectives in relation to the entity and its business. The audit Principal should ensure that the key strengths, weaknesses, and/or mitigating factors are documented. Teams are not expected to test these controls or to provide assurance on their effectiveness but rather to identify potential risks of material misstatement stemming from weaknesses related to the design and/or implementation of the related controls.

4.34 There are no specific guidelines to indicate the point at which the overall control environment is significantly compromised due to identified weaknesses. Assessment of the quality of the entity's overall control environment is a matter of professional judgment.

4.35 The Principal should assume that a reliance on controls approach is appropriate for annual audits, unless clear evidence exists to the contrary. Such evidence could include the existence of one or more of the following situations:

  • a pervasive lack of access controls in critical corporate operating and reporting systems;
  • a pervasive lack of management and monitoring controls throughout the organization;
  • a history of processing errors found as a result of our annual audit work;
  • widespread disregard for spending authorities such as appropriations, votes, or limits on major capital projects;
  • widespread disregard for the protection of corporate assets (especially capital and technological); and
  • a history of senior management override of controls in financial systems.

4.36 If the audit Principal concludes that a reliance on controls approach is not possible, the responsible Assistant Auditor General should review this conclusion.

ANNUAL AUDIT POLICY

The audit Principal should assess the entity's overall control environment and conclude whether it is conducive to a reliance on controls approach for the annual audit.

If the audit Principal concludes that a reliance on controls approach for the annual audit is not possible, or is not appropriate, this conclusion should be documented and approved by the responsible Assistant Auditor General.

When signing authority for the audit has been delegated to the audit Principal, he or she will approve the audit approach and the reasons for not adopting reliance on controls.


Information System, Including the Related Business Processes Relevant to Financial Reporting and Communication

4.37 In order to develop our understanding of the entity's internal controls, we address the various information systems and related business processes relevant to financial reporting. We document our understanding of the procedures and records that have been established to initiate, record, process, and report entity transactions (as well as events and conditions) and to maintain accountability for the related assets, liabilities, and equity.

4.38 In planning the audit, it is important that the IT and financial auditors

  • map activities and systems to the financial statements and identify business cycles that support them. This involves documenting, at a high level, the flow of information for key business cycles and the manner in which general ledger accounts are updated;
  • determine which business cycles, systems, and related financial statement components the financial auditors wish to place reliance on, and the extent of reliance;
  • understand any key issues identified by internal users, management, and internal audit; and
  • ensure that any significant IT matters affecting financial statement assertions are identified at this stage and that these matters are communicated to team members.

4.39 The quality of system-generated information affects management's ability to make appropriate decisions in managing and controlling the entity's activities and to prepare reliable financial reports. Accordingly, we evaluate the information systems to ensure that controls exist and that the systems

  • identify and record all valid transactions;
  • describe, on a timely basis, the transactions in sufficient detail to permit proper classification of transactions for financial reporting;
  • measure the value of transactions in a manner that permits their proper monetary value to be recorded in the financial statements;
  • determine the time period in which transactions occurred in order to record transactions in the proper accounting period; and
  • present properly the transactions and related disclosures in the financial statements.

4.40 Communication is another aspect of an information system that our approach requires us to consider. Communication involves providing an understanding of individual roles and responsibilities pertaining to internal control over financial reporting. It includes the extent to which personnel understand how their activities in the financial reporting information system relate to the work of others and the means of reporting exceptions to an appropriate higher level within the entity. Open channels of communication help ensure that exceptions are reported and addressed.

4.41 In connection with our understanding and evaluation of communication, we review entity documentation such as policy manuals, accounting and financial reporting manuals, and memoranda. Communication may occur electronically, orally, and through the actions of management.

4.42 The audit team's IT and financial auditors are required to have a good understanding of the entity's IT environment because it affects the generation of key reports and the protection of electronic data, with significant impact on the financial statements. Key information pertaining to the IT environment that must be documented in TeamMate includes

  • the organization of the IT function;
  • the way in which management controls IT activities;
  • the manner in which IT supports the business;
  • the main characteristics of IT systems and environments that support the financial statements;
  • significant changes to these systems;
  • known problems with these systems;
  • the impact of IT on the audit strategy; and
  • matters worth reporting to the client.

4.43 During the Planning Phase, the team leader, in consultation with the IT Audit Specialist, will determine the feasibility and effectiveness of adopting a reliance on controls audit approach to major business cycles and then document this decision in the Preliminary Audit Approach by Cycle folder in TeamMate.

Control Activities

4.44 Our audit approach requires us to document a sufficient understanding of the entity's policies and procedures that are relevant to the audit. It also requires us to evaluate the design and implementation of the entity's policies and procedures in order to identify and assess risk of material misstatement at the financial statement and assertion levels and to design further audit procedures responsive to assessed risks, regardless of our intent to rely on controls. Control activities relevant to the audit include entity level controls, general computer controls (GCCs), and application level controls.

4.45 Entity level controls and general computer controls. We evaluate the design and implementation of entity level controls and GCCs before application controls due to their pervasive nature, which will have an effect on the operation of application level controls. Our evaluation of entity level controls and GCCs will typically address three of the five components of internal control: the control environment, the entity's risk assessment process, and monitoring of controls. Other elements that should be evaluated include controls over management override, centralized processing, the period end financial reporting process, and policies that address significant risks.

4.46 We document these control components and evaluate the design and implementation of the relevant controls. Control weaknesses identified should be documented and a TeamMate exception created for possible reporting to management and to those charged with governance. Additional risk consideration will be given to control weaknesses. See Chapter 5—Annual Audit Planning for further discussion on assessing the significance of risk.

4.47 Our approach to understanding internal control uses a "top-down" approach, which drills down through the organization (see also the discussion of Reliance on Controls in Chapter 1). A solid understanding of entity level controls provides an important foundation for assessing other relevant controls over financial reporting at the business cycle or application level.

4.48 Business cycle/application level controls. We develop our understanding of application controls in a manner similar to the one for understanding entity level controls. We document our understanding of the relevant information systems within the IT Environment folder of TeamMate; however, we typically document our business process review within the various business cycle/component folders under the Transaction Flow and Processes standard audit steps of TeamMate. When we evaluate the design and implementation of relevant controls, we perform the following procedures:

  • consider "what can go wrong" risk factors at the transaction or assertion level specific to each significant system and business process and determine if control activities exist that may mitigate these risks;
  • document relevant controls (memos, flow charts, etc.) starting from the initiation of a transaction through to financial reporting. We then perform transactional walkthroughs for each significant process to confirm our understanding;
  • evaluate the design of the control activities. We evaluate the descriptions of each control(s) to determine whether the control is sufficient to mitigate corresponding "what can go wrong" risk factors;
  • evaluate the implementation of controls. We perform control walkthroughs to confirm our understanding and to conclude on implementation of the controls;
  • conclude on risk of material misstatement due to weaknesses in design and/or implementation of control activities. If gaps/weaknesses are found in either the design or implementation of internal control, we have identified additional risks of material misstatement for further consideration; and
  • use professional judgment to determine whether the identified weaknesses, individually or in combination, represent significant risks or other risks of material misstatement.

4.49 Significant risks identified are recorded on the Audit Risk Assessment form in TeamMate; our strategic response is recorded on the Preliminary Audit Approach by Cycle form in TeamMate. Other risks of material misstatement not assessed as significant are considered in the context of our assertion level risk assessment. These other risks of material misstatement may be carried to the relevant Summary of Comfort as a basis for our assessment of the level of assurance required by assertion. Chapter 5—Annual Audit Planning provides a detailed discussion of these forms and audit activities.

Monitoring of Controls

4.50 Monitoring of controls are entity activities that monitor whether controls are operating as intended and are being modified as appropriate for changing conditions. Activities include management's review of bank reconciliations to determine whether they are being prepared on a timely basis; internal auditors' evaluation of program officers' compliance with the FAA when issuing grants and contributions; and a legal department's oversight of compliance with the entity's ethical or business practice policies. We evaluate the design and implementation of these relevant control activities and consider any weaknesses in the context of potential risks of material misstatement and possible implication on the control environment as an indicator of the "tone at the top."

4.51 If we design an audit strategy that derives audit assurance from the operating effectiveness of a specific monitoring control activity, we consider the level of assurance provided by the control activity when assessing the level of assurance obtained. Controls can be either directly or indirectly related to a financial statement assertion. The more indirect the relationship, the less effective the controls may be in preventing or detecting and correcting misstatements, and hence the less assurance the controls provide. Examples of monitoring control activities include the following:

  • Ongoing monitoring activities (such as exception and IT reports) are in place to address the operation of significant internal controls.
  • Periodic evaluations of controls are conducted on key control systems by skilled personnel (for example, internal audit).
  • Management takes appropriate action on
    • exceptions to policies/procedures;
    • correcting deficiencies in internal control (including those identified by the auditor); and
    • complaints of improper financial matters by external parties.

Fraud and Other Risk Considerations

Other Risk Considerations

4.52 In addition to considering the entity's business risks, our audit approach requires that we consider other aspects of the entity and its environment in order to develop our knowledge of the entity and to identify other risks to be addressed by the audit. The following procedures are performed to identify other risks.

4.53 Preliminary analytical review procedures. The existence of other risks of material misstatement may be identified through measurement and review of the entity's financial performance, or the performance of preliminary analytical review procedures. For example, significant fluctuations in component balances from the prior year may indicate potential errors or changes in the historical relationship of different component balances.

4.54 The audit Principal and Director should identify relevant interim financial and non-financial performance information and perform selected preliminary analytical procedures. These analytical procedures will supplement the information gathered during the risk analysis and provide useful information for identifying risks of material misstatement and developing the Preliminary Audit Approach by Cycle. These procedures may confirm the information collected for the risk analysis or identify additional areas that need to be investigated and/or addressed during the audit. They may also contribute to a more comprehensive understanding of the entity's business and risks. To provide meaningful input to the planning process, these preliminary analytical procedures should be performed prior to finalization of the Preliminary Audit Approach by Cycle folder.

4.55 Analysis of interim financial results gives the audit Principal perspective on the extent to which plans are being achieved, the plausibility of explanations from management, the impact and significance of potential new developments, and the consistency of results with the auditor's expectations based on current and previously acquired knowledge. Analysis of corporate performance reports such as management variance analyses, year-to-date cash flow reports, and key financial ratios may also add value.

4.56 Preliminary analytical procedures should not be limited to financial reporting information. Analysis of operational reports, including key performance indicators, may provide additional insights into business risks facing the entity and should corroborate the financial results to date.

4.57 Where these reviews reveal a significant change, unusual relationship, or unexpected outcome not consistent with the audit Principal's expectations, additional work should be undertaken to assess any further risks of material misstatement and possible impact on the development of the Preliminary Audit Approach by Cycle.

4.58 Prior year issues. Audit staff can maximize audit efficiency by ensuring that they take into consideration the Cumulative Audit Knowledge and Experience (CAKE) when developing the strategic approach and the tailored audit programs. One important aspect of CAKE is "prior year issues." These include the planning points raised during the course of the prior year's audit, adjustments identified and made in the prior year's financial statements, and any matters reported to management and/or to those having oversight responsibilities and/or to Parliament. Such issues should be reviewed and incorporated into the plan of the current year's audit, as applicable.

4.59 Entity-specific accounting policies. Additionally, we consider other aspects such as entity-specific accounting policies or significant changes in estimates, new or emerging accounting or auditing issues, and prior year experience of errors.

4.60 We consider risks related to entity-specific accounting policies, and annually we need to be aware of any plans by the entity to make significant changes in accounting policies, as the changes may have an impact not only on the financial statements but also on our Auditor's Report for those audit entities where we are required to opine on consistency. For example, this would apply to federal and territorial Crown corporations and the Public Accounts of Canada.

4.61 New or emerging accounting or auditing issues. We identify any new or emerging accounting or auditing issues that may impact the audit. These issues may result from business developments such as significant changes in the entity's asset base, changes in executive compensation packages, and changes in contracting practices. Issues may also arise due to developments in the accounting and auditing profession, such as new accounting pronouncements coming into effect, changes in generally accepted accounting principles for a particular industry or for government operations, or exposure drafts that could affect the way in which the entity accounts for its assets, its liabilities, or its business activities.

4.62 If significant, the impact of any such developments should be reflected in the Audit Risk Assessment form and also, to the extent considered necessary, in the Preliminary Audit Approach by Cycle. Changes and/or new developments that may significantly affect the financial statements should normally be discussed with the senior management of the entity and with those having oversight responsibility for the financial reporting process (normally the audit committee or other appropriate body, such as Treasury Board, the Receiver General for Canada, or the Department of Finance).

4.63 Other risk considerations. The presence of the following engagement-specific factors indicates the possibility of other risks of material misstatement:

  • a significant presence in volatile markets (for example, futures trading);
  • recent "extreme" financial performance (good or bad);
  • complex processes related to the development of accounting measurements (for example, loan loss provisioning);
  • significant accounting estimates involving considerable management judgments or estimates;
  • significant changes in one or more accounting policies adopted by the entity;
  • material-contingent liabilities, including environmental liabilities; and
  • joint audit engagement.

Refer to Practice Statement #10—Auditing Accounting Estimates

Refer to Practice Statement #11—Related Parties

Refer to Practice Statement #12—Going Concern

Risk of Material Misstatement Due to Fraud

4.64 Fraud risk is a critical component of risk, and we need to identify and respond to the risk of material misstatement due to fraud (generally referred to in this section as fraud risk), both for our own risk management and to meet professional standards' requirements. Specifically, this means considering as part of our risk assessment the areas of an entity's operations where there are increased fraud risks at a financial statement assertion level, because of the industry, the business activities, the control environment, performance incentives/pressures, and the overall objectives/agenda of management.

4.65 There is no absolute assurance of detecting material misstatements. However, that should not deter us from planning our audit to maximize the likelihood that we will detect material misstatements due to fraud. We should plan and perform the audit with an attitude of professional skepticism, recognizing that conditions or events may be found that indicate that fraud or other questionable or illegal acts may exist or are reasonably possible, and investigating those conditions or events, and their impact on the financial statements.

4.66 Professional standards also emphasize the responsibilities of legislative auditors, noting that "the use of public funds tends to impose a higher profile on fraud issues." As such, audit Principals need to be more sensitive to the risk of fraud even when the impact of fraudulent activities may not necessarily represent material misstatements.

4.67 When we consider the risk of fraud, we consider not only the misappropriation of assets but also fraudulent financial reporting. Fraudulent financial reporting involves intentional misstatements or omissions of amounts or disclosures in financial statements in order to mislead the users of the financial statements. This definition also scopes in the intentional misapplication of accounting principles. In this light, the auditor's assessment of the appropriateness of the accounting policies selected by management takes on added significance.

4.68 The standards emphasize the need for professional skepticism throughout the audit. The briefing held during the team planning meeting should include a discussion of where errors may be more likely to occur and/or how fraud might be perpetrated. Team members should be clear on the nature of related queries to be made, who should make them, and the manner in which the resulting information will be shared with the rest of the team members.

Refer to Practice Statement #13—Fraud Risk Assessment Procedures and Related Activities

ANNUAL AUDIT POLICY

The audit Principal should ensure that the team has assessed and discussed the susceptibility of the entity to material misstatements in the financial statements due to fraud and error, and that the planned responses to the identified risks have been discussed and approved at a team planning meeting and documented in the audit file.

4.69 Although both management and those having oversight for the financial reporting process have primary responsibility for the prevention and detection of fraud and error, the auditor is expected to make specific inquiries of management during the planning of the audit. As part of the planning interviews, the auditor should

  • obtain an understanding of management's assessment of the risk of fraud;
  • obtain knowledge of management's understanding of the internal controls in place to address the risk of fraud and to prevent and detect error;
  • determine whether management is aware of any known or suspected fraud; and
  • determine whether management has discovered any material errors.

4.70 These inquiries should extend beyond the financial function to cover a wide cross-section of operational and corporate management. If considered appropriate, the auditor also should seek the views of those having oversight responsibility for the financial reporting process.

4.71 The auditor would also consider whether any "other matters" should be discussed with those having oversight responsibilities, such as the following:

  • concerns about management's assessment of the risks of fraud or error and the controls in place to prevent and detect them;
  • concerns regarding the potential for management override of controls;
  • failure by management to address material weaknesses identified in the prior year's audit; and
  • the auditor's assessment of the overall control environment of the entity.

4.72 On the basis of the information collected in performing the risk assessment procedures and considering any other work conducted to date, the auditor will consider whether any significant fraud risk factors exist in the entity. Extensive information on assessing and reporting the risk of wrongdoing and fraud can be found in the "Wrongdoing and Fraud Audit Guidance."

4.73 Auditors should discuss with the audit Principal the implications of any fraud risks or areas identified that are likely to result in errors and that require an overall response in planning the audit. Where such fraud risk factors are identified, specific audit procedures would be designed to address the identified risks. Even when we do not identify specific risks of material misstatement due to fraud, we should recognize that there is a possibility that management override of controls could occur. The possibility of this occurrence should be incorporated in the design of audit procedures.

4.74 The Forensic Audit Section is consulted whenever significant fraud risk factors have been identified and/or there is evidence to suggest that there may be a need for specialized forensic audit procedures.

Refer to Practice Statement #13—Fraud Risk Assessment Procedures and Related Activities

ANNUAL AUDIT POLICY

In planning the audit, the audit Principal should consider the risk of material misstatements in the financial statements resulting from fraud and error.


Addressing the Risk of Management Override of Controls

4.75 Recognizing that there is a possibility that management override of controls could occur, we should perform procedures to address this risk on every audit. Management is in a unique position to perpetrate fraud because of its ability to directly or indirectly manipulate accounting records and prepare fraudulent financial statements by overriding established controls that otherwise appear to be operating effectively. Procedures to address the risk of override of controls include examining journal entries and other adjustments for evidence of possible material misstatement due to fraud; reviewing accounting estimates for biases that could result in a material misstatement due to fraud, including performing a retrospective review of prior year estimates; and evaluating the business rationale for significant unusual transactions.

Refer to Practice Statement #13—Fraud Risk Assessment Procedures and Related Activities

Identify and Assess Risk of Abuse—Board and Executive Compensation, Travel and Hospitality

4.76 Due to the potential for management override, we also perform an additional risk procedure on every audit, even if there does not appear to be any indication of abuse. This procedure involves reviewing board and executive compensation and travel and hospitality claims. Audit teams are required to assess the risk of abuse by board members and senior executives that could result in personal benefit and that could indicate lapses in values or ethics, weak governance and/or inadequate oversight and control. Risk assessments in this area should recognize that public sensitivity and indications of management override of controls or abuse are more important than dollar materiality. This assessment should be performed in each annual audit and, at the minimum, testing should be performed in these areas at least once every three years. In addition, the audit team should consider such testing during a year of change (for example, new appointments to or departures from the senior executive positions).

4.77 If the team identifies issues that indicate anything other than low risk in the area of board or executive compensation, travel and hospitality, additional procedures should be considered. Given the sensitivities in this area, audit work should be carried out by experienced auditors—Audit Project Leaders and Directors. More detailed guidance may be found in the "OAG Approach to Auditing Executive and Board Compensation, Travel and Hospitality for Annual Audits," which is available on the Annual Audit INTRAnet site.

Updating the Audit Risk Assessment

4.78 Our audit approach recognizes that audit planning is a continuous and dynamic process of gathering, updating, and analyzing information throughout the audit. The timing of audit procedures is an Engagement Management activity and a key planning decision undertaken by the audit Principal based on entity experience and professional judgment. As such, other planning procedures (such as interim corroboration) may be performed after senior audit team approval and communication of our audit approach with the entity. In this case, we develop our risk assessments and audit approach related to controls based on CAKE and our initial interviews with senior management. If we identify additional significant risks, the audit Principal will respond appropriately. These steps reflect the concept that planning is an activity that continues throughout the audit and if circumstances change, audit plans may have to change as well.

ANNUAL AUDIT POLICY

Except in circumstances where signing authority for the audit has been delegated to the audit Principal, the audit Principal and Assistant Auditor General will review and approve the audit risks and strategy, as well as matters of significance relating to planning the engagement.

The Quality Reviewer (if applicable) will document his/her review, including comments to the team of the planning process.

If during the course of the audit and subsequent to approval of the audit strategy, additional matters of significance relating to planning of the engagement are identified, the audit Principal will ensure appropriate documentation of significant matters, assess the impact, and notify the Assistant Auditor General and Quality Reviewer (if applicable) if the audit strategy requires revision.

5 Annual Audit Planning

5.1 Annual Audit Planning is the third of five main audit activities. It requires the auditor to assess the significance of previously identified risks of material misstatement, establish and communicate our preliminary audit approach, conduct team planning meetings, consider reliance on the work of others, finalize the audit approach based on the results of corroborative procedures, such as systems reviews and/or control walkthroughs, and design detailed audit programs that respond to our assertion level risk assessments.

Annual Audit Planning—General

5.2 During the Planning Phase and throughout the audit, the audit team performs various risk assessment procedures to identify risks of material misstatement and significant risks that require special audit consideration. This approach begins with our Engagement Management and Knowledge of the Entity and Risk Analysis activities to identify business, fraud, and other risk factors that are deemed to have an impact on our audit. We also consider planning materiality and the nature and significance of audit risk. These important considerations guide the auditor in developing audit procedures that will provide sufficient, but not excessive, audit evidence.

5.3 Once we have developed a sufficient understanding of the entity and have considered business, fraud, and other risks of material misstatement relevant to the audit, we assess their significance at the assertion level, develop an audit approach, and plan appropriate audit procedures to respond to these risks.

5.4 The following is a discussion of the key elements of our audit approach in the Planning Phase: Annual Audit Risk Assessment, Preliminary Audit Approach by Cycle, and Designing Detailed Audit Programs.

Annual Audit Risk Assessment

5.5 The Annual Audit Risk Assessment section of TeamMate is used to document the risks identified for further consideration during the Planning Phase audit activities undertaken thus far. To this point, the audit team has performed risk procedures designed to identify risks of material misstatement relevant to our audit. This information is recorded in the Audit Risk Assessment form in TeamMate and financial statement assertions are assigned to each risk in order to ensure relevance. Then, we evaluate the significance of risks and conclude whether special audit consideration is required.

5.6 Auditors evaluate the significance of the risks for the audit by considering their "weight." In other words, are they of such a magnitude that they could result in a material misstatement of the financial statements? This assessment should exclude the effect of controls put in place by management to mitigate significant risks.

5.7 Auditors consider the likelihood that a material misstatement will occur. In considering this, we should take into account our understanding of the entity's business, industry, risks and controls, and our CAKE. Examples include the following:

  • CAKE will provide us with knowledge of areas where audit adjustments were often required, which may indicate a specific risk of material misstatement.
  • The nature of the entity's business may be such that operations in certain industries are more subject to specific risks. For example, for financial institutions, credit risk is a significant risk that needs to be well managed (especially in difficult economic situations).

5.8 If we determine that there is sufficient likelihood that a material misstatement will occur, we conclude that the risk is "significant" and requires special audit consideration. As a general response in the Audit Risk Assessment form, the auditor provides a brief description of the work planned to address significant risks and makes reference to the Preliminary Audit Strategy by Cycle within TeamMate, where our strategic approach to significant risks is documented.

5.9 The team requires an understanding of management's response (in other words, by obtaining an understanding of the entity's relevant internal controls) to mitigate significant risks, regardless of the team's intention to rely on the controls. These responses are recorded in the Audit Risk Assessment form.

5.10 Our audit approach requires that significant risks be given special consideration, which includes the following.

  • Auditors must evaluate the design of controls that relate to significant risks and determine the implementation of controls that address significant risks.
  • When a significant risk is identified and reliance is planned on the operating effectiveness of controls intended to mitigate the risk, audit evidence must be obtained about the operating effectiveness of relevant controls in every period audited (no rotation of controls testing).
  • Approaches to significant risks that consist of substantive procedures only must have audit procedures that include tests of details.

5.11 In designing our audit procedures to respond to the significant and other risks of material misstatement, audit teams should determine the source of likely material misstatement in the account balance, class of transactions, or disclosure in order to identify those financial statement assertions that are relevant. In determining whether a particular assertion is relevant, auditors should consider

  • the nature of the assertion;
  • the volume of transactions or data related to the assertion; and
  • the nature and complexity of systems, including the use of information systems and technology by which the entity processes and controls the related transactions.

5.12 For cash balances, for example, valuation may not be relevant unless currency translation is involved or there are doubts about the bank or other depository where the balance is held. However, existence and completeness are always relevant. For accounts receivable, valuation will be relevant to the allowances for bad debts, rather than the gross amount of the receivables balance.

5.13 Auditors must link each significant risk to a relevant assertion in the Audit Risk Assessment form in TeamMate. Additionally, the Summary of Comfort template provides a list of financial assertions typically considered relevant to the OAG's annual audit mandates.

Materiality and Audit Risk

Refer to Practice Statement #14—Materiality and Evaluating Misstatements

5.14 Materiality (see 5.15 for a definition) and audit risk need to be considered together throughout the audit and, in particular, during the Planning and Reporting phases. During the Planning Phase, materiality and audit risk are considered in determining the nature, timing, and extent of the audit procedures. In the Reporting Phase, they are used to assess whether the results of those procedures support management's assertion that the financial statements are presented fairly in accordance with generally accepted accounting principles. Planning Phase considerations are discussed below.

5.15 In performing an audit, we seek reasonable assurance that the financial statements as a whole are not materially misstated. Users are interested in information that may affect their decision process. As such, "materiality" is the term used to describe the significance of financial statement information to decision makers. An item of information, or an aggregate of items, is material if it is probable that its omission or misstatement would influence or change a decision. Materiality is a matter of professional judgment.

5.16 Although the definition above does not tell the auditor how to determine materiality, it does imply that

  • materiality should be determined from the point of view of the user, not management or the auditor;
  • materiality should be determined without reference to audit risk; specifically, materiality should not be reduced on high-risk audits or increased on low-risk audits;
  • materiality is more than a quantitative concept; and
  • qualitative factors and judgments about materiality are subjective and may change during the course of the engagement.

5.17 Guidelines for determining materiality. Materiality is always relative and determination of materiality requires judgment. Therefore, it is not possible to lay down specific rules or absolute numerical measurements that will apply in every case. Consequently, the materiality decision ultimately rests with the auditor's professional judgment. In determining materiality for planning purposes, the auditor considers both quantitative and qualitative factors.

5.18 Quantitative materiality is normally determined by taking a percentage of an appropriate "base," which is generally one of the most significant financial results in the entity's statements. For entities in the public sector, total expenditure is often selected as the base. This recognizes that, in many cases, Parliamentary appropriations are determined based on these expenditures. The Office generally considers a quantitative estimate of materiality of 0.5–2 percent of total expenditures as appropriate. For more commercially oriented organizations such as enterprise Crown corporations, materiality might be determined using a base of revenues, operating income, or some other appropriate measure. The base selected and the threshold percentage applied should reflect, in the auditor's judgment, the measures that financial statement users are most likely to consider important.

5.19 An auditor also considers qualitative matters before making a final determination of planning materiality. Although qualitative matters are typically more relevant when evaluating misstatements, they should also be considered when establishing planning materiality. Matters that should be taken into account in the auditor's determination of planning materiality include such factors as a "bottom line" that is expected to be close to zero, expected "tight" compliance with restrictive covenants, and statutory or regulatory reporting requirements that may be difficult to comply with.

5.20 When materiality is reduced from one period to the next, the auditor needs to pay particular attention to the level of misstatement that may exist in balances representing opening equity. Those balances will have been audited to a higher level of materiality and may contain errors that could contribute to a misstatement in the current period.

5.21 Audit risk. Our audit approach requires audit teams to consider audit risk and materiality in the context of obtaining reasonable assurance. We plan and perform audit procedures to reduce audit risk to an acceptably low level. Consequently, audit risk contains two key elements:

  • the risk that the financial statements contain material misstatement (inherent and control risks); and
  • the risk that the auditor will not detect such a misstatement (detection risk).

5.22 To reduce audit risk to an acceptably low level, auditors must identify the risks of material misstatement and perform procedures to respond to the assessed risks at the financial statement, class of transaction, account balance, and assertion levels.

5.23 Our methodology defines "audit risk" as the risk that the Office expresses an inappropriate audit opinion due to undetected misstatements. It is the risk that after completing the audit, misstatements aggregating to more than materiality will remain undetected in the financial statements. In practice, audit risk is unavoidable because auditors cannot obtain absolute assurance that all material misstatements have been detected. Audit risk, as well as materiality, should be considered in:

  • planning the audit, and designing and executing auditing procedures; and
  • evaluating whether the financial statements taken as a whole are presented fairly, in all material respects, in accordance with generally accepted accounting principles.

5.24 Audit risk is managed by varying the nature, extent, and timing of the audit work, recognizing that it is inappropriate to strive for greater audit assurance than may be feasible—because of inherent imprecision within the financial statements—or justified, if the cost of greater audit assurance exceeds the value to users of the financial statements.

5.25 The audit Principal should always plan and perform the audit in order to limit the audit risk to an acceptably low level that is appropriate, in his/her professional judgment. "Appropriate" means that the audit Principal is satisfied that the audit risk is low (no more than 5 percent) of expressing an inappropriate opinion on the financial statements.

Documentation of Risk Assessment Procedures in TeamMate

5.26 Documentation in TeamMate should evidence the risk assessment procedures performed and the information gathered in obtaining an understanding of the entity, its business environment, and internal controls. The sources of information from which the understanding was obtained and the risk assessment procedures performed would also be recorded. In the TeamMate Annual Audit folders, the information obtained about the entity's business, fraud, and control risks should be documented in the appropriate folders within Section B, Knowledge of the Entity and Risk Analysis. The auditor's assessment of the impact of these risks on the audit should then be documented in the Annual Audit—Risk Assessment folder within Section C, Annual Audit Planning.

ANNUAL AUDIT POLICY

The audit Principal should review and approve the Audit Risk Assessment form, including the general audit approach adopted in response to significant risks.

The Audit Risk Assessment form should also be reviewed and approved by the responsible Assistant Auditor General, except in those entities where signing authority for the Auditor's Report has been delegated to the audit Principal.

Preliminary Audit Approach by Cycle

5.27 The purpose of the Preliminary Audit Approach by Cycle template is to capture key information and decisions underlying the development of the strategic approach for the audit. The required form in TeamMate provides the file reviewer with a high-level snapshot of the scope, timing, and planned audit approach by indicating the planned sources of assurance from controls, analytical procedures, and substantive tests of details for each significant financial statement component/business cycle and significant risk. The audit Principal, Assistant Auditor General, and, where appropriate, the Quality Reviewer, approve this document as well as the Audit Risk Assessment form.

ANNUAL AUDIT POLICY

The audit Principal should participate directly in all key decisions involving the development of the strategic approach as documented in the Preliminary Audit Approach form. The approach and any related significant changes should be documented and then approved by the audit Principal.

Except in cases where the audit Principal has been delegated signing authority for the audit, the strategic approach should also be reviewed by the responsible Assistant Auditor General before significant detailed planning and testing is carried out.

5.28 The Office strives to adopt a Reliance on Controls audit approach where appropriate. The Office should expect that federal entities we are responsible for auditing under our auditing jurisdiction have instituted proper internal controls that we can rely on. In situations where a Reliance on Controls approach is not possible for the current year audit due to the absence of key controls or improper documentation of the performance of control procedures, the audit team should identify the controls and/or documentation procedures that would normally be expected in the circumstances, and explain to entity management how they should strengthen their internal controls. These suggestions should be presented to management in the form of a management letter and, if appropriate, to Parliament.

5.29 When selecting an audit approach, the team will consider not only whether a reliance on controls audit approach is possible but whether it is appropriate to do so. In certain circumstances, a substantive audit approach may provide for a more efficient audit even though a reliance on controls audit approach is possible. Circumstances where reliance on controls may be possible but not appropriate include auditing a class of transactions consisting of predominantly high-value items, or auditing small organizations with a low volume of transactions. Under such circumstances, substantive testing may provide a more efficient audit approach; however, the audit team is expected to exercise professional judgment.

ANNUAL AUDIT POLICY

Where audit teams do not follow the Office's preferred audit approach, of reliance on controls, as the primary source of audit assurance, the reasons for not following this approach should be documented in the Preliminary Audit Approach by Cycle and approved by the Assistant Auditor General.

When signing authority for the audit has been delegated to the audit Principal, he/she will approve the Preliminary Audit Approach by Cycle and the reasons for not adopting reliance on controls.

Strategy Development—General

5.30 In the Planning Phase of the audit, significant risks that have a potential impact on particular financial statement component assertions are identified and assessed to ensure that audit efforts focus on the major business cycles that support the financial statements.

5.31 This risk assessment determines the critical nature of these business cycles and the type of related controls selected for review, documentation, and evaluation.

5.32 The audit strategy is developed based on two key principles.

  • The Office is committed to a reliance on controls approach whenever appropriate and practical.
  • Controls reliance is determined as a point on a continuum, rather than as a discrete measure.

5.33 These two principles provide the audit team with exceptional flexibility to design a reliance on controls audit approach that takes into account the specific strengths of control systems in the entity and allows for the maximum degree of assurance to be taken given the quality and audit potential of the existing systems and practices. The Annual Audit Planning diagram on the following page depicts strategic planning options and the controls reliance continuum.

Annual Audit Planning graphic

Gaining Assurance Through Reliance on Controls

5.34 To help achieve its objectives, all organizations institute controls. Internal controls assist management in safeguarding its assets, in optimizing the use of resources, in preventing and detecting fraud or error, and in maintaining reliable business process systems. In the public sector, controls also exist to ensure compliance with authorities (acts of Parliament, enabling legislation, regulations, etc.).

5.35 During the Planning Phase, it is important that the audit team has up-to-date knowledge of each business system of audit significance, including an understanding of

  • the impact of the entity's business processes and how they have influenced the design of management and accounting business systems;
  • the types of transactions and documents processed by the systems;
  • the manner in which the transactions are initiated and processed; and
  • the manner in which transactions and balances are assembled and summarized for financial reporting purposes.

5.36 Generally accepted auditing standards (GAAS) require the auditor to obtain an understanding of the control environment and the control systems relevant to the audit, even when no reliance is to be placed on controls. The auditor uses this understanding to identify types of potential misstatements, consider factors that affect the risks of material misstatement, and design the nature, timing, and extent of further audit procedures. The depth of understanding required by GAAS involves evaluating the design of controls and determining whether they have been implemented.

5.37 Internal controls are important for mitigating the risks to the achievement of the entity's business objectives. The entity's objectives, and therefore controls, are related to financial reporting, operations, and compliance; however, not all of these objectives and controls are relevant to the auditor's risk assessment for annual audit.

5.38 Where the audit team can establish that controls are effective and operating throughout the year, a significant degree of audit assurance may be derived. Such evidence is generally derived more efficiently and effectively through a Reliance on Controls approach than through any other audit techniques.

5.39 Controls relevant for the annual audit are found throughout the organization, ranging from very low-level controls at an individual transaction level to very high-level governance controls addressing overall corporate performance. Higher-level controls are generally more valuable from an audit perspective because they provide assurance over the results of many transactions.

5.40 Consequently, in establishing which controls to rely upon, the auditor "drills down" through the organization, searching for the highest level controls that give him/her comfort over the financial statement component(s) in question.

5.41 The level at which the auditor identifies controls that have the potential to provide him or her with the comfort required determines the nature and extent of the audit procedures that must be performed. Auditors and other team members with specialized skills and knowledge in IT work together to identify the key controls and to develop the necessary tests and other procedures to obtain the audit evidence and assurances we consider necessary.

5.42 The auditor may choose to rely on lower-level controls even though higher-level controls may exist. The decision to choose certain controls for reliance is affected by many factors, including the auditor's assessment of the level of assurance provided and the level of assurance required; effectiveness of the controls; the costs of obtaining the required evidence; and previous experience with those controls. As discussed in Chapter 4, the level of assurance provided by a control relates to its relationship to a financial statement assertion. Controls can be either directly or indirectly related to a financial statement assertion. The more indirect the relationship, the less effective the controls may be in preventing or detecting and correcting misstatements, and hence the less assurance they provide.

5.43 In some cases, a combination of levels may be selected. The choice of the type(s) of control(s) to be tested and the nature and extent of testing of each depends on the auditor's assessment of the most cost-effective way to obtain the required audit evidence.

5.44 In a Reliance on Controls approach, the process of understanding and documenting the transaction flow and process of a business cycle should lead to the identification of the controls relevant to the audit and the key controls to be tested. Controls may be relied upon only where our testing supports reliance. Accordingly, in identifying the key controls, the auditor must

  • ensure that we have considered all relevant key controls and identified the right ones for testing;
  • apply all of our cumulative knowledge and experience with the entity;
  • confirm how the controls are used/applied in practice; and
  • evaluate their design and determine whether the controls have been implemented and are operating effectively throughout the period under audit.

5.45 Federal entities are expected to have proper controls in order to help ensure that public monies are spent efficiently and effectively for their intended purposes. If the expected controls are well designed, implemented, and operating effectively, the audit team should rely on them. If no controls can be relied upon, the audit team should be very concerned. In such cases, the needed controls should be identified in a management letter, report to those having oversight responsibility for the financial reporting process, or report to Parliament, and work toward reliance on controls in future years.

Refer to Practice Statement #15—Communicating Significant Deficiencies in Internal Control


ANNUAL AUDIT POLICY

When a reliance on controls approach cannot be adopted because of weaknesses in internal control, the audit Principal should ensure that the nature of these weaknesses and the team's suggestions to strengthen them are reported in a management letter.

Depending upon our assessment of the significance of these control weaknesses, the audit Principal should also consider reporting them to those with oversight responsibility for the financial reporting process and, in extreme cases, to Parliament.

Reliance on Management and Monitoring Controls

5.46 In the Planning Phase of an audit, when the audit Principal and Director determine the audit strategy and planned reliance on controls, they must consider the extent to which they rely on management and monitoring controls and the cost-effectiveness of relying on these controls. The management and monitoring controls discussed here generally fall in the control activity component of an entity's internal control. The monitoring of controls component of an entity's internal control is addressed in "Knowledge of the Entity's Internal Controls" in Chapter 4.

5.47 Management and monitoring (M&M) controls are analytical or review procedures that focus on the outputs of the entity's information systems and give management assurance that a group or class of transactions have been processed completely, accurately, and in accordance with authorized procedures. M&M controls look at a cluster of transactions instead of looking at individual ones. They are usually applied to groups of transactions that have been processed (or partially processed) and are designed to monitor results against desired objectives and anticipated results. For more information, see "Audit Guidance on Reliance on Management and Monitoring Controls" on the Annual Audit INTRAnet site.

Reliance on Application Controls

5.48 Application controls are manual or automated controls built into a client's systems. They are applied to individual transactions or to batches of similar transactions. We can rely on application controls by establishing that their design is appropriate to effectively detect and prevent errors and by obtaining assurance of the consistency of their operation over the period of reliance.

5.49 When the audit team intends to rely on automated application controls or manual controls relying upon system-generated data (IT-dependent controls), it consults with an IT Audit Specialist. For examples of how IT Audit Specialists assist the audit team with planning, refer to paragraph 2.50 in Chapter 2. Additional guidance on planning reliance on application controls is available in "Control Testing Guidance" on the Annual Audit INTRAnet site.

Rotational Testing of Controls

5.50 Assuming that controls have not changed since they were last tested, testing for operating effectiveness may need to be performed only once every three audits.

5.51 Where applicable, the period of reliance should be based on professional judgment. Reliance on evidence obtained in previous audits would not normally be applicable when

  • reliance is required to mitigate a significant risk of material misstatement at the assertion level; the tests of controls should be performed in the current period;
  • controls have changed;
  • a weak control environment exists;
  • the ongoing monitoring of controls is poor;
  • there is a significant manual element to the operation of relevant controls;
  • personnel changes have occurred that significantly affect the application of the control;
  • changing circumstances indicate the need for changes in the operation of the control; and
  • there are weak general computer controls.

5.52 When there are a number of controls for which evidence can be used from the prior year audits, reliance should be staggered so that some testing of controls is performed during each audit. Testing some controls each year also provides collateral evidence about the continuing effectiveness of the control environment.

5.53 Before audit evidence obtained in prior audits can be used, the continuing relevance of such evidence needs to be established. This will include confirming our understanding of those specific controls through inquiry, observation, and inspection of the controls (such as discussions with the client and a walkthrough).

5.54 Our audit methodology requires that certain general computer controls, such as controls over program changes and user access, be tested annually. Audit teams should consult with an IT Audit Specialist if they intend to rely on IT-dependent and general computer controls. Refer to Chapter 2 for more information about the role of (IT) Audit Specialists on the audit team and the related annual audit policy.

Compliance With Authorities

Crown Corporations and Other Entities

5.55 Readers of our reports are looking for assurance that significant transactions (or events) that would reasonably be expected to come to our attention during the conduct of the annual audit have been assessed for compliance with governing authorities and that we have reported on all significant cases of non-compliance.

5.56 It is critical that the auditor fully understand the authority framework governing the entity, the audit mandate, and the transactions subject to audit. Otherwise, there is a risk that the audit procedures will not be tailored to the specific needs of auditing compliance with authorities or will be inappropriately executed.

5.57 Some legislative requirements of the FAA and other authorities are not necessarily related to individual financial statement components. For example, the provisions relating to the need to have corporate plans and budgets, an internal audit function, and so on do not directly affect the financial statements. Specific audit procedures may need to be applied as part of auditing these elements of compliance with authority.

5.58 In developing the strategic direction, an assessment should be made of the risk of significant non-compliance with the identified governing authorities. A number of factors must be considered in this assessment, including knowledge of the entity, past audit experience, and management's attitude towards compliance. It is important to involve senior members of the audit team in making these judgments. For new or amended authorities, the audit Principal should consult with entity management to obtain a clear understanding of the implications to the entity and, correspondingly, to the audit approach.

5.59 The auditor should keep in mind the compliance with authorities aspects of the audit throughout the various phases of the audit. Accordingly, the auditor would consider the implications on compliance auditing in doing such things as gathering information on client accounting and information systems, assessing the control environment, developing detailed audit programs, and assessing audit results. To the extent practicable, procedures for assessing compliance with authorities should be integrated with the audit procedures of the related financial statement component(s).

5.60 Building on the information gathered during the audit risk assessment, the audit Principal should ensure that

  • the relevant authority requirements have been identified (for example, the FAA and regulations, enabling legislation, appropriation acts, bylaws of Crown corporations, and any directives issued under section 89 of the FAA);
  • the authority requirements have been reviewed and significant and/or high-risk ones identified; and
  • the audit approach, including any specific procedures considered necessary for providing sufficient, appropriate audit evidence in relation to these significant authorities, has been included in the tailored audit programs for the relevant components to address compliance with authorities issues.

5.61 Specific guidance on significant requirements of the FAA and regulations and the Canada Business Corporations Act is available on the Annual Audit INTRAnet site.

5.62 Another important point is that the significance and/or risk associated with a particular authority can be quite different from that of a related financial statement assertion(s) for the same component. Consequently, there may be lesser or greater testing requirements for authorities than for financial statement assertions. For example, an entity's short-term investment program may be considered low risk for financial statement purposes, but there could be concerns that the corporate bylaw governing the investing activities is not being complied with.

Public Accounts of Canada

5.63 Authorities' work as part of the section 6 audit is limited to the scope and limit of the vote. Additional work based on the assessment of the risk of non-compliance with significant "financial" authorities is implemented on an incremental and rotational basis when necessary. The key financial authorities for the public accounts audit are primarily the FAA and its regulations and those aspects of the entity's enabling legislation, program legislation, and related regulations that would reasonably be expected to fall within the scope of the auditor's examination.

5.64 The Central Team has created an inventory of government-wide financial authorities. From the authorities identified, a list of risks has been compiled. Each year, a select number of risks are audited as part of a rotational audit approach to financial authorities.

5.65 Entity teams are expected to create their own inventory of financial authority risk factors based on their entity's enabling legislation and any related regulations. Entity Principals are responsible for determining the risks they believe are significant to their entity. This process will involve a risk analysis and an assessment of the potential for non-compliance. Based on this work, the entity Principal will select additional authorities for examination on a rotational basis.

5.66 Entity teams should complete a review of the results of any audit work performed by the internal audit department that touches on compliance with authorities. The entity teams will then design a detailed audit program, and after discussion with the Central Team, perform the associated audit work required and report on the results.

5.67 To ensure appropriate assessment of compliance with the scope and limit of the vote, an authority component should also be included in any spending, borrowing, or revenue transaction selected for substantive verification. The objective here is to determine whether the transaction met the intended purpose of the underlying authority. Where there is reliance on internal financial controls for purposes of the audit, components dealing with compliance with authority should be included in the tests of key controls.

5.68 Reporting will be on an exception basis for all compliance with authorities work. Specifically, cases of non-compliance will be considered for inclusion as "other matters," observations of the Auditor General on the Financial Statements of the Government of Canada, chapter material, or management letter points, on a case-by-case basis.

ANNUAL AUDIT POLICY

The audit Principal should ensure that the audit team designs an effective and efficient approach to auditing compliance with authorities, and that the approach is based on an assessment of significance and risk.

Quality Reviewer's Role in Planning

5.69 For certain audits, the Office appoints a Quality Reviewer in order to provide an enhanced level of quality assurance. The role of the Quality Reviewer is to provide additional assurance that audits are conducted in accordance with professional and Office standards in key areas for engagements deemed to be of higher audit risk to the Office. Quality Reviewers are typically assigned to audits perceived to be of higher risk; to those that are complex to conduct or are sensitive in nature; or to those that have complex accounting issues. Quality Reviewers have significant Office experience and have no direct involvement in the particular annual audit(s) to which they are assigned. Accordingly, they provide an additional element of independence and objectivity in key risk areas related to planning and reporting the annual audit. For detailed guidance on the quality review function, refer to "Quality Reviewer Guidance for Annual Audit" available on the Annual Audit INTRAnet site.

ANNUAL AUDIT POLICY

On those audits for which a Quality Reviewer has been appointed, it is the audit Principal's responsibility to ensure that the Quality Reviewer is involved on a timely basis and receives the information needed to perform his/her review of the development of the strategic plan before significant fieldwork begins.

Other Strategies

Reliance on Internal Audit

5.70 Where feasible, reliance on internal audit work is desirable as it is usually a cost-effective source of audit assurance. The internal audit function should be reviewed at the Planning Phase in order to

  • determine the extent to which the Office can rely on its work in setting the audit scope;
  • coordinate audit work and avoid unnecessary duplication of effort; and
  • determine whether detailed testing of the internal auditors' work is required before placing reliance on it.

Pre-Year-End Testing

5.71 It is often possible to schedule portions of the audit work prior to the year-end date. For example, tests of internal control can often be conducted midway through the year.

5.72 Where substantive tests of detail are planned, it is often advantageous to schedule as much testing of transactions and balances as possible before the year-end date (for example, for confirmation of receivables/loans). Pre-year-end testing should be done as close to the year-end date as possible, but generally not more than three months in advance. Proper roll-forward procedures—audit tests designed to cover the period between the date of the pre-year-end substantive testing and the year-end date—should also be undertaken. As a minimum, these should

  • ensure that key controls continued to be effective throughout the roll-forward period; and
  • involve substantive tests of detail for transactions exceeding materiality in the roll-forward period.

Consultation With Specialists

5.73 Assessing risk in specialized areas may be difficult, such as financial statement components wholly or substantially composed of transactions involving financial instruments. In these situations, it may be appropriate to consult with Office specialists before finalizing risk assessments for the audit (refer to Chapter 8—Consultation).

5.74 Because of the pervasive impact of IT on the operations of most of our entities, the IT Audit Specialist would normally be consulted to assist in determining whether any specific IT-related business risk factors appear to be present in the entity. Other Office or external specialists may also be consulted when considered necessary by the audit Principal.

"Other Matters"

5.75 As noted in Chapter 2, annual auditors have a responsibility to identify and report on "other matters" that, in their opinion, should be brought to the attention of Parliament. During the Planning Phase, the auditor should identify issues that may have the potential to be of significance and/or of a nature that they should be brought to the attention of Parliament. Such matters have not been defined in legislation; they are left to the judgment of the auditor(s).

5.76 The types of issues that can potentially be reported as "other matters" to Parliament are too numerous to list here. The following list, however, describes some of the issues that are significant and would merit reporting:

  • significant transactions (especially those exceeding materiality) that, while permitted under enabling legislation, appear to be unusual or unexpected given the entity's mandate;
  • spending on initiatives that do not seem to have normal Parliamentary authority;
  • operating activities that contravene accepted standards of government or corporate behaviour (for example, payments to "agents" that appear to be excessive);
  • major acquisitions made without due regard for economy (for example, those relating to investments, capital assets);
  • exposure to significant losses that may have to be funded by the Consolidated Revenue Fund;
  • conduct, actions, or transactions that could damage the reputation of Canada, either domestically or internationally;
  • non-responsiveness to recommendations made by the Public Accounts Committee or other standing committees;
  • allegations of improprieties that are confirmed during an annual audit; and
  • corporate behaviour that appears to be inconsistent with traditional public sector values.

5.77 "Other matters" are unlikely to be clear-cut and may be open to more than one interpretation. Accordingly, a full understanding of the issues surrounding a potential "other matter" should be obtained and documented by the audit team. In many cases, "other matters" revolve around facts known to the entity. For example, the issue may be already reflected in corporate plans and budgets, and/or in one or more of the entity's communications with Parliament. However, the auditor's independence and objectivity may lead to viewing the known facts in a different light.

5.78 Office annual audit policies require the audit team to consult on significant, complex, and/or sensitive issues. "Other matters" generally meet all of these criteria and, accordingly, there should be extensive consultation within the Office. At the early stages of evaluating potential "other matters," consultation would be expected with

  • the responsible AAG;
  • the Quality Reviewer, if applicable;
  • Legal Services;
  • the Annual Audit Practice Team; and
  • a specialist (for example, the Principal responsible for the annual audit of the Public Accounts of Canada).

5.79 More detailed guidance may be found in "Audit Guidance on Reporting ‘Other Matters' in Annual Audits," which is available on the Annual Audit INTRAnet site.

Team Planning Meetings

5.80 Team discussions are an essential part of planning and occur at the team planning meeting. This meeting should include all annual audit team members (including the team member with IT specialist knowledge), as well as others who might add value or benefit from the discussion, such as the Public Accounts auditors or support staff for large or high-risk audits. The responsible Assistant Auditor General should also be invited to attend the meeting, although his/her attendance is not essential.

5.81 An effective team planning meeting requires an organized agenda and attendance by well-prepared team members. The primary purpose of the meeting is for members of the audit team to gain a better understanding of the potential for material misstatements of the financial statements resulting from fraud or error in the specific areas assigned to them, and to understand how the results of the audit procedures that they perform may affect other aspects of the audit, including the decisions about the nature, timing, and extent of further audit procedures. The discussions provide an opportunity for team members to understand the key audit strategy decisions regarding business risks, other inherent risks, and the preliminary audit strategy by cycle. The audit Principal should encourage discussions and questions regarding the key strategy decisions so that team members leave the meeting with a solid understanding of the overall approach to the audit and of how their sections contribute to the achievement of the overall audit objectives. These decisions are documented in the Strategic Approach Summary folder of the file.

5.82 During the team planning meeting, the team should also agree upon common working practices, including documentation techniques for the engagement (for example, how lead schedules will be documented and included in the working papers, the use of client-prepared schedules, and the frequency of team briefing meetings).

5.83 In addition, the following important matters should also be discussed at the meeting:

  • significant authorities to be audited;
  • potential risks of material misstatement;
  • susceptibility of the entity to material misstatements in the financial statements resulting from error and fraud, how fraud may occur and the team's planned audit response to any identified risks;
  • the need to continually exercise professional skepticism;
  • the nature and timing of working papers to be prepared by the client;
  • the use of specialists or reliance on the work of others;
  • identification of the audit report signatory and assignment of a Quality Reviewer to the audit;
  • the importance of remaining objective and independent; and
  • audit completion deadlines (interim and year-end).

5.84 The matters discussed among the audit team during this team planning meeting should be documented in the TeamMate audit file. In particular, the audit file should contain information about the susceptibility of the entity's financial statements to material misstatement due to error or fraud, and the significant decisions reached.

5.85 Communicating the strategic approach. All significant elements of the strategic approach should be communicated to audit team members, including those from other product lines (for example, performance audits) as applicable. These planning elements should be included on the agenda and discussed at the team planning meeting.

5.86 Office policies dealing with communications in the broad sense are discussed in "Communications With Audit Entities" in Chapter 2.

Report to the Audit Committee—Annual Audit Plan

Reporting to Those Having Oversight Responsibility for the Financial Reporting Process

5.87 When an identifiable body exists that has oversight responsibility for the financial reporting process (for example, an audit committee or its equivalent), a report should be prepared setting out pertinent information concerning the scope of the annual audit, the planned approach, the matters of audit significance, and matters that bear on independence. A template of the Report to the Audit Committee—Annual Audit Plan is found on our INTRAnet site and is updated from time to time as required by changes to professional standards.

5.88 Not all of our annual audit entities have a body charged with oversight responsibility for the financial statement reporting process. Those that do, however, should receive a suitable report from the Office's audit team. There are numerous situations in our practice that require the Office to report to a body other than an audit committee. For example, in the annual audit of the Public Accounts of Canada, the Office prepares a report outlining its planned approach to the Secretary of the Treasury Board, the Deputy Minister of Finance, and the Deputy Receiver General for Canada. For Public Accounts, some entity audit teams prepare similar reports for departmental audit committees in cases where our participation has been sought or agreed to by the entity.

5.89 The report should include a section that clearly sets out the level of responsibility assumed by the auditor in conducting an audit in accordance with Canadian generally accepted auditing standards. Matters that should be discussed include

  • the important role that the oversight body can play in the financial reporting process;
  • the responsibilities of management in the financial reporting process;
  • the fact that an audit opinion is based on reasonable, but not absolute, assurance that the financial statements are free of material error;
  • the nature of the auditor's responsibilities, specifically with respect to the detection of fraud and error, compliance with authorities, and "other matters";
  • confirmation that we are independent with respect to the entity within the meaning of the Rules of Professional Conduct of the related provincial Institute of Chartered Accountants, and thus free of any influence, interest, or relationship with respect to the entity that could impair our professional judgment;
  • the general nature of the procedures performed during an audit;
  • the need to obtain management's written confirmation of significant representations provided to the auditor during the engagement;
  • the fact that when the auditor's risk assessment includes an expectation of the operating effectiveness of controls, sufficient appropriate audit evidence will be obtained through tests of controls to support the assessment, but the scope of the auditor's review of internal control will be insufficient to express an opinion as to the effectiveness or efficiency of the entity's controls; and
  • the auditor's opinion as to whether the financial statements present fairly in all material respects, in accordance with generally accepted accounting principles, the financial position, results of operations, and cash flows of the entity.

5.90 The report should also communicate aspects of the auditor's overall audit strategy that would be helpful to the oversight body in discharging its responsibilities. Such aspects could include

  • the general approach to the audit, including any significant changes from the prior year;
  • the nature and extent of significant risks that might affect the financial statements;
  • the specific financial statement components that have a higher risk of material misstatement, including the auditor's response thereto;
  • the materiality level(s) on which the audit is based;
  • the auditor's preliminary assessment of internal control, its major business cycles, and the extent of planned reliance thereon;
  • the auditor's perceptions of the entity's vulnerability to fraud and illegal or possibly illegal acts;
  • the effects of new developments in accounting standards, or of legislative or regulatory requirements on the entity's financial reporting; and
  • planned reliance on the work of internal auditors and/or other specialists.

5.91 The report for discussion with the oversight body should be prepared and circulated to members of the committee well in advance of the meeting. Before the report is finalized, entity senior management should have an opportunity to comment on a draft of the report. The team should communicate in writing, in the entity's language of choice, and be prepared to communicate in both official languages.

5.92 The report on the audit plan and approach is normally sent under the signature of the audit Principal.

5.93 In some circumstances, it may be appropriate to place less emphasis on "boiler plate" information, particularly where the audit committee is experienced. In such cases, the required boiler plate information could be placed in an appendix. The team's planned audit approach and matters of potential significance are normally expected to be susceptible to change, particularly the latter. In addition, personnel changes in the senior management category of the entity and, indeed, the membership of the oversight body may also experience change. For these reasons, our reports must provide the information required by these oversight bodies. In particular, we should provide them with a suitable understanding of both our audit approach and the issues expected to play a significant role in completing our audit and finalizing the entity's financial statements.

ANNUAL AUDIT POLICY

The audit Principal should ensure that the audit team communicates with management and those having oversight responsibility for the financial reporting process regarding the planned approach and matters of potential significance related to the annual audit. Written communication of this important information should be done on a timely basis.

Designing Detailed Audit Programs

5.94 Annual Audit Planning activities result in the preparation of detailed audit programs. It is here that we link the results of our risk assessment procedures and strategic planning decisions with the audit procedures we plan to perform. The objective is to respond to the identified risks of material misstatement by performing sufficient and appropriate procedures to reduce the audit risk to an acceptably low level.

5.95 Finalize the audit approach. Subsequent to preparation of the Preliminary Audit Approach by Cycle, the team may have performed additional procedures designed to corroborate initial risk assessments and planning decisions as well as to obtain a more detailed understanding of the entity and its internal control. It is only after we have corroborated our understanding of the entity and internal controls—which includes among other things observation and inspection of the major business processes and relevant internal controls—that we are in a position to finalize the audit approach and prepare our detailed audit programs.

5.96 The team considers the results of the corroborative procedures, including evaluation of the design and implementation of control activities, as well as the results of tests of controls (if any), and determines if any additional risks of material misstatement have been identified. The team considers if any additional significant risks were identified and, if necessary, update the Audit Risk Assessment form and the Preliminary Audit Approach by Cycle template. If the audit Principal concludes that significant changes to the audit strategy have occurred, he/she will notify the Quality Reviewer and AAG of these significant changes to the risks and audit strategy and obtain their approval.

ANNUAL AUDIT POLICY

If during the course of the audit, and subsequent to approval of the Audit Risk Assessment and Preliminary Audit Approach, additional risks of material misstatement are identified, the audit Principal determines whether significant changes to the audit strategy have occurred and whether an appropriate audit response has been planned.

The audit Principal must notify the Assistant Auditor General and Quality Reviewer if significant changes have been made to the risks previously identified and audit strategy.

5.97 The team must document all audit procedures in the Summary of Comfort (SOC) for each key business cycle or financial statement component. Detailed audit programs are then prepared within the respective cycle folders in TeamMate. The SOC and detailed audit programs are the culmination of all aspects included in the planning phase of the audit.

5.98 The Summary of Comfort (SOC) template is intended to clearly document how the team

  • supported the assessment of the risks of material misstatement at the financial statement level and at the assertion level;
  • linked assessed risks to audit procedures responsive to those risks; and
  • assessed the level of assurance obtained to respond to the risks at the financial statement and assertion levels.

5.99 The major steps in preparing the SOC at the Planning Phase are as follows:

  • document all relevant significant risks identified (pervasive risks and those related to the specific cycle/component);
  • document other risks of material misstatement (those that are not considered significant);
  • assess risk level by assertion (high, medium, low) as supported by the significant risks and other risks of material misstatement identified and documented;
  • document the nature, timing, and extent of the planned audit procedures (controls testing, analytical review, and test of details) to address specific risks and/or assessed level of risk by assertion; and
  • indicate the expected level of assurance from each procedure (low, medium, high).

5.100 The goal is to develop customized audit procedures that respond to our assessed risks. If the risk level regarding financial statements is assessed as high, then more work is required for all financial statement components because the risks are considered pervasive. Where risks of material misstatement for a particular assertion are assessed as high, more work is required than for an assertion where risks are assessed as medium or low. The auditor uses professional judgment to determine the appropriate level of work to respond to the assessed level of risk.

5.101 We then prepare detailed audit programs within the key cycle folders in TeamMate. They contain more specific instructions based on the audit procedures identified in the SOCs and describe the nature, timing, and extent of the audit procedures to be performed. Documentation of the detailed audit programs also serves as a record of the appropriate planning and performance of the audit procedures that should be reviewed and approved prior to the performance of further audit procedures.

5.102 The detailed audit programs and SOCs are reviewed and approved by the audit Director prior to the commencement of testing of internal control effectiveness and year-end substantive audit work. Review of the SOCs by more senior members (Principal or Assistant Auditor General) of the audit team is required when appropriate (such as for significant risk areas). The confirmation of assurance obtained and final evaluation of its sufficiency are performed during the Reporting Phase of the audit.

5.103 The Office has an extensive database (TeamStores) of generic audit procedures for common financial statement components. TeamStores also contains audit procedures for testing internal controls relating to common business cycles. Assertions have been identified for each of these audit steps and, in some cases, background information such as suggested analytical procedures is also available. These audit procedures can be selected and incorporated into the audit file from TeamStores as applicable. Alternatively, the auditor can develop audit steps to specifically address the unique characteristics of the particular audit entity.

5.104 Detailed audit programs are also developed for auditing compliance with authorities. Authorities should not be considered as a separate, stand-alone aspect of our audit work, but rather as an integral component of it. Accordingly, where significant authorities have been identified during the formulation of the strategic approach for specific financial statement components, the procedures for testing compliance should be integrated, where practicable, with the other audit procedures relating to that component. Generic procedures for auditing authorities that are encountered regularly have been included in TeamStores.

ANNUAL AUDIT POLICY

The Director (or another individual managing the audit), in consultation with the audit Principal, should ensure that the audit programs are consistent with the approved strategic approach and should review and approve the tailored audit programs and any significant changes thereto.

5.105 Planning—an ongoing activity. Important milestones in the Planning Phase include the preparation of key planning documents, the Audit Risk Assessment, the Preliminary Audit Approach by Cycle, and the Report to the Audit Committee. However, completion of these tasks should not be considered the end of the Planning Phase. Planning is an activity that continues throughout the audit, responding to new circumstances such as unforeseen changes in the entity's business or its systems, or unexpected results coming to light during the Execution Phase of the audit. Whenever such developments occur, are significant, and require a change in audit procedures, the Audit Risk Assessment and the Preliminary Audit Approach by Cycle should be updated accordingly. Making significant changes to these documents requires the same approval protocol as was followed for the originals.

6 Annual Audit Execution

General Considerations

6.1 The objective of the Annual Audit Execution Phase is to carry out the strategic plan that has been outlined in the TeamMate Annual Audit Planning folder. In particular, we want to ensure compliance with the examination standards specified in that section.

The expectations set out in these standards may be paraphrased as follows.

  • The work should be properly executed;
  • Staff should be properly supervised;
  • Assurance derived from the entity's control activities should be obtained through tests of controls; and
  • Sufficient appropriate audit assurance should be obtained to afford a reasonable basis to support the conclusions of the auditor.

6.2 For proper execution of the work, each team member must have a general understanding of the overall audit approach and an appreciation of how individual audit sections contribute to the overall assurance required for the audit as a whole. In addition, team members should understand the nature of any inter-section dependencies or, alternatively, of cross-component satisfaction where assurance derived from one section provides assurance for another. This general understanding of the audit and its interrelated components is normally conveyed at the initial team planning meeting described earlier in Chapter 5—Annual Audit Planning.

6.3 At an individual section level, it is equally important that the responsible auditor fully understands the objectives of the work to be performed and the time-frame in which the work is to be completed. In that regard, coaching by the supervisor plays an important role in conveying the necessary understanding. However, the auditor is responsible for ensuring that he/she is completely familiar with the objectives of the work assigned and with the steps required to achieve those objectives.

Supervision, Coaching, and File Review

6.4 Supervision and coaching occur at various levels of responsibility within the audit team and include the following:

  • ensuring that team members understand their assignments;
  • ensuring that the work is being carried out in accordance with the planned approach;
  • addressing and communicating significant issues that have arisen during the audit, assessing their implications, and assisting in their resolution; and
  • monitoring the progress of team members on their assigned sections.

6.5 Under the Office's approach, both the auditor and the supervisor share the responsibility for effective supervision and coaching. The supervisor provides timely support and guidance that facilitates the auditor "doing it right the first time." The auditor keeps the supervisor informed of progress on a timely basis and seeks guidance when appropriate. The two engage in regular briefings to successfully complete the work required in the audit file.

6.6 To complete the Execution Phase of individual audit sections, work performed by auditors is reviewed in detail by more experienced team members. Reviewers are responsible for ensuring that

  • the audit work has been performed in accordance with the original or a modified audit plan;
  • the objectives of the planned procedures have been achieved;
  • the nature, timing, and extent of the audit work performed is adequate in light of the results obtained;
  • the work has been performed in accordance with professional standards and regulatory and legal requirements;
  • significant matters have been raised for further consideration;
  • the conclusions reached are consistent with the results of the work performed;
  • consultations have taken place, where appropriate, and the resulting conclusions documented; and
  • the evidence obtained is sufficient and appropriate to support the Auditor's Report.

6.7 In the case of higher risk sections or matters, the audit Principal or the Director would also review the file subsequent to review by the immediate supervisor. These additional reviews would be conducted to ensure that the Experienced Auditor Principle has been achieved.

6.8 Satisfactory completion of the procedures described in the paragraphs above would normally provide assurance that sufficient, appropriate audit evidence had been obtained to afford a reasonable basis to support the conclusions reached in individual audit execution sections.

ANNUAL AUDIT POLICY

The audit Principal should ensure that the audit is executed in accordance with the strategic approach documented in the Preliminary Audit Approach by Cycle template.

The audit Principal should ensure that detailed file reviews are conducted on a timely basis in order to comply with the Experienced Auditor Principle.

Sections of the file that are considered to be of higher risk may require additional review.

Techniques for Gathering and Documenting Audit Evidence

6.9 Inspection and computation are common methods of obtaining audit evidence. Inspection of documents and records provides varying degrees of reliability depending on the nature and source of the documents. Computation or recalculation provides a high level of assurance with respect to arithmetical accuracy. Inspection of physical assets provides highly reliable evidence of existence and some indication of value (if it does not appear damaged or obsolete) but not necessarily of ownership or value.

6.10 Observation of the application of client's policy or procedure provides assurance of that procedure at a given point in time, but not necessarily of its performance at other times during the year.

6.11 Inquiry and confirmation range from written requests addressed to third parties to oral questions of individuals within the entity. Although inquiry has always been an integral part of audit, it is becoming an increasingly important method of collecting audit evidence due to the increasing use of "soft information" in financial statements. Specifically, soft information is based on estimates, expectations, and assumptions. In addition, more reliance is placed on management controls where little documentation may exist to support the existence of the review being performed and follow-up action taken where results are out of line with management expectations. In such cases, inquiry may be the primary (or only) source of evidence that the controls are in place and working effectively.

6.12 Inquiry is used throughout the audit to

  • obtain knowledge of the entity's business;
  • develop the Preliminary Audit Approach by Cycle;
  • collect specific evidence; and
  • corroborate evidence collected by other means.

6.13 A solid understanding of the control environment is important in order to assess the extent to which inquiry will be effective in obtaining reliable evidence. For example, in an environment in which management's integrity and trustworthiness are high, the auditor may be able to place relatively more reliance on inquiry. Accordingly, the completed Control Environment template provides important input to the decision regarding the extent to which inquiry will provide sufficient, appropriate evidence.

6.14 Analysis is used at various stages of the audit for different purposes. Preliminary analytical procedures are used when planning the audit to confirm the planned audit approach or to identify new risk areas that need to be addressed during the audit. For further discussion, see "Preliminary Analytical Review Procedures" in Chapter 4. At the Reporting and Completion phases of the audit, analytical procedures are used to assess whether the financial statements taken as a whole are reasonable and consistent with our knowledge of the business and the expected results for the year.

Compliance With Authorities

6.15 In testing specific authorities, it is important for auditors to recognize that either the authority has been complied with or it has not. Unlike a detailed test of a transaction, where the valuation assertion may be understated or overstated by a wide range of values, a given authority normally has only two possibilities: compliance or non-compliance.

6.16 When identifying the significant authority requirements at the strategic Planning Phase, the audit team has already made a preliminary assessment of those instances considered reportable in either the Auditor's Report or the management letter. Accordingly, whenever a possible instance of non-compliance comes to the attention of the auditor, the following steps must be taken:

  • the auditor reconfirms his/her understanding of the authority requirement through discussion with the responsible Director and/or audit Principal;
  • the facts of the matter are verified with the appropriate entity official(s) and, where appropriate, with other involved parties;
  • the existence of any other evidence pertinent to the matter is confirmed; and
  • the auditor consults with Legal Services as necessary.

6.17 In carrying out testing to assess compliance with authorities, the audit team must follow the general directions set out in the Preliminary Audit Approach by Cycle and complete the specific procedures developed for the detailed audit plans. All audit team members share the responsibility of understanding the intent of all authority instruments being tested, and how the planned audit procedures provide assurance in support of the conclusion on compliance.

6.18 Consultation with Office specialists may also be required. The particular specialist(s) that should be consulted will vary depending on the circumstances but could include one or more members of Legal Services or the Annual Audit Practice Team, a Forensic Audit Specialist, and a Quality Reviewer.

Reliance on Management and Monitoring Controls

6.19 In the Execution Phase, the audit team performs testing procedures on the management and monitoring controls that it intends to rely upon.

Testing M&M Controls

6.20 The type of M&M controls testing depends on the category of the control (for example, system analytics requires different testing than an analysis of performance against budget). Typically, testing would involve

  • understanding and documenting the policies and procedures related to the analysis;
  • confirming the process, the data used, and the length of time the controls have been in place;
  • interviewing the individuals who perform the analysis, those who review and approve variances or exceptions, and those responsible for the reports used; having them walk the auditor through the process to confirm his/her understanding and to ensure consistency in the process. The entity's personnel should be questioned at each point in the process to ensure that they understand the reasons for the controls and that they are looking for the appropriate type of information to identify deviations or unusual results;
  • reviewing the documentary or other corroborating evidence that demonstrates that the analyses were reviewed by management in accordance with established policies and procedures. Note that "review" constitutes inspection of evidence of several applications of the control, but not agreeing to supporting documentation or testing any data. When reviewing the corroborating evidence, team members should confirm with the personnel involved the purpose of the review and the specific things they look for when performing the exercise.
  • inquiring and reviewing follow-up and corrective action with management. It is not sufficient for management to have only looked at the M&M control and its results. In order for the control to meet our objectives, management must also analyze results, take corrective action when unexpected variances arise, and follow-up to ensure that steps have been taken to remediate the situation.

6.21 Instances of the application of the M&M control being tested should be reasonably distributed throughout the period of intended reliance. If the source of the information used in the analysis is not audited (for example, "blackbox systems"), additional testing must be conducted before reliance can be determined.

6.22 More detailed guidance on identifying and auditing management and monitoring controls is found on the Annual Audit INTRAnet site.

Reliance on Control Activities

6.23 In the Execution Phase, the audit team performs testing of key control activities on which it intends to place reliance. See "Control Testing Guidance" on the Annual Audit INTRAnet site for detailed information on testing manual and automated processing controls as well as general computer controls.

Reliance on General Computer Controls

6.24 Where audit assurance is required from automated controls in a business cycle, it is important that the team's IT Audit Specialist tests the adequacy of general computer controls for the technical infrastructure supporting IT systems.

6.25 The key areas for the IT Audit Specialist's review include:

  • controls over program maintenance activities and upgrades to the client's operating systems;
  • database administration procedures;
  • information security for related systems, including policies and procedures and monitoring of security;
  • computer operational controls (assess the controls in place for day-to-day operations);
  • change management controls (including systems development and program maintenance processes); and
  • reports relating to general computer controls completed by the entity's internal audit department and the conclusions reached therein.

Documenting, Assessing, and Testing General Computer Controls

6.26 The IT Audit Specialist will document his/her testing of general computer controls using the "Entity—General Computer Controls (GCC) Testing" template in TeamMate and provide a conclusion on the adequacy of these controls.

6.27 If the IT Audit Specialist concludes that the general computer controls are not adequate, he/she should communicate, to the individual responsible for managing the audit, the impact that the control weaknesses would have on the audit.

6.28 Based on the impact of noted weaknesses, the team's IT Audit Specialist and financial auditors may need to determine whether compensating controls at the business cycle level mitigate the effects of these general computer control weaknesses.

ANNUAL AUDIT POLICY

When reliance is placed on IT-dependent application controls, the audit Principal should ensure that the relevant general computer controls are tested for operating effectiveness. Typically, an IT Audit Specialist will perform this work.

Analytical Procedures

6.29 Analytical procedures are substantive procedures that compare the amount recorded by the entity with an amount that the auditor expects. The auditor's expectation of the amount is derived from his/her knowledge of relationships between the amount being audited and some other independent data. The data used in arriving at the auditor's expectation of the amount may be financial or non-financial and may originate from within or outside the entity being audited. Analytical procedures vary from simple comparisons—such as comparing the current year amounts (or ratios) with prior year amounts (or ratios)—to complex analysis using advanced statistical techniques and computer audit software—such as multiple regression analysis software. For more information, see "Guidance on the Application of Analytical Procedures" on the Annual Audit INTRAnet site.

6.30 The Office categorizes analytical procedures as follows:

Category
Well-suited
to Public Sector?
Description
Key Factors to Consider
Single Component Comparisons
Yes

There are two types:

  • a comparison of recorded amounts against budget amounts; and
  • trend analysis, comparing current amounts to comparable amounts from the prior period.

Budget:

  • Can the budget be relied on?
  • Who reviews the budget?
  • Is the budget updated throughout the year?
  • Prior Year:
  • Has the nature of the business changed (major clients, product mix, etc.)?
  • What have been the economic trends in the intervening period?
Systems Analytics
Yes
Systems analytics involve the identification of unusual items within accounts rather than an analysis of the account balance taken as a whole. Procedures include scanning or analyzing entries in transaction listings, subsidiary ledgers, general ledger control accounts, adjusting entries, suspense accounts, and reconciliations.
  • What is significant or unusual?
  • What volume of activity is normal or expected?
  • What is the nature of the transactions going through the account?

Independent Tests of Reasonableness

(Predictive Analysis)

Yes
These involve the creation of an expectation using operating or external data (independent of the accounting process) as well as financial data to predict an amount under examination (for example, using employee head counts and average remuneration statistics to predict payroll expense).
  • Can the balance be predicted using an external factor?
  • How relevant is the external data source to the entity's business?
  • Can we rely on the accuracy of internally generated operational statistics?
Cross-Component Comparisons
No
These involve the analysis of the relationship of two or more financial statement variables. Usually, this is referred to as "ratio analysis." Examples include accounts receivable turnover and gross margin analysis.
  • Relationships between components
  • Changes in entity policies (for example, credit policies)
  • Knowledge of which events impact the numbers
  • Changes in the business environment
Regression Analysis
No (except for payroll)

Regression is a statistical technique that involves analyzing the known behaviour of variables and developing an equation (model) that explains the average relationship between these variables. A regression model is similar to an independent test of reasonableness, but it is more objective and provides a reliable estimate of an acceptable range of fluctuation.

For example, historical monthly staffing by level is regressed against average monthly salary levels to develop a model that predicts payroll expense.

  • Many of the factors relating to independent tests of reasonableness apply to regression as well.
  • If a history of data errors is used, the formula will incorporate the errors and predict poorly.

6.31 Factors that affect the degree of substantive assurance that can be derived from a particular analytical procedure are as follows:

  • the sophistication of the procedure used;
  • the plausibility and predictability of the underlying relationship between the amounts used for comparison; and
  • the extent to which the data used is independent, verifiable, relevant, and reliable.

6.32 It should be emphasized that the Office is looking for rigorous, thoughtful, quantitative-based analyses that provide substantive assurance. A five-step approach has been developed to help guide auditors in developing a suitably rigorous approach:

5 - Step Approach graphic

6.33 Strong support and involvement is needed from the audit Principal and Director to ensure that the analytical procedures used are conceptually sound and take into account all factors that could or should result in large changes in specific components.

Substantive Tests of Detail

General

6.34 Substantive tests of detail are useful sources of assurance when a combination of Reliance on Controls and analytical procedures does not provide the required level of assurance, or in unusual circumstances where a Reliance on Controls approach is neither feasible nor cost-effective. The nature and extent of the assurance required from tests of details should be determined after considering matters such as the control environment; CAKE; reliance on monitoring, application and general computer controls; and the ability to develop effective analytical procedures.

6.35 The most common tests of details are as follows:

  • confirmations (for example, accounts receivable);
  • observation of the items comprising an account balance (such as inventory observations);
  • inspection of documents (for example, reviewing a lease contract to assess whether it is capital or operating); and
  • matching transaction details to supporting documentation (for example, audit sampling testing).

6.36 Substantive tests of details are often the most appropriate way to test compliance with authorities. The reason for this is that some authority requirements do not lend themselves to a controls-reliant approach (for example, the requirement for ministers responsible for Crown corporations to table before Parliament a summary version of the corporation's Corporate Plan).

6.37 The primary disadvantage of substantive tests of details is that they are not as efficient as other techniques. Also, they may not provide sufficient appropriate audit evidence for significant risks at the assertion level.

Other Selective Testing Procedures and Audit Sampling

6.38 The remainder of this section deals with selective testing procedures and audit sampling testing. Under the Office's methodology, there are three primary techniques for selecting transactions for detailed testing:

  • targeted testing (such as high value and/or high risk);
  • "top-up" testing (such as small judgmental selections); and
  • representative sampling (such as dollar unit sampling).

6.39 Targeted testing. Targeted testing involves selecting items of a particular size or with particular characteristics and that are not representative of the population as a whole. Items may be selected in the following ways:

  • Coverage—Coverage-based selection recognizes the size of items making up the population and gives greater emphasis to higher value items. For example, if a population contains five items that comprise 80 percent of the total value of the population, a high level of assurance can be obtained in relation to existence and accuracy by selecting just the five items. However, where material monetary understatement is equally likely to be found in small value or "no-value" recorded amounts, a test targeted on coverage alone is not appropriate. Generally, any item that, individually, has a high risk of containing an error exceeding materiality should always be examined.
  • Weighting—The selections may also be "weighted." For example, tests for completeness of trade payables might be weighted by selecting larger suppliers rather than large payables balances.
  • Risk—The selections may also be based on other criteria, such as items we perceive to be of higher risk. For example, termination payouts related to downsizing may be targeted to validate entitlement and the appropriateness of the amount paid.

6.40 It is important to note that targeted testing is not based on the same principles as representative sampling. Consequently, if errors are found, they should not be projected.

6.41 In rare cases, it may be appropriate to obtain a significant portion of audit assurance from targeted testing. This would be the case where controls reliance was considered neither practical nor cost-effective and targeted testing provided a great deal of coverage.

6.42 The table below provides some rules of thumb that would support moderate to high levels of assurance from targeted testing.

RULES OF THUMB
Level of Assurance Required
Required Level of Audit Work
Moderate Targeted selection with a coverage by dollar value of between 40 percent and 80 percent. Note: If the remaining unaudited coverage is greater than twice materiality, the total selection should consist of at least 30 items.
High Targeted selection with a coverage by dollar value of 80 percent or more (including all items greater than materiality) and remaining unaudited coverage is not greater than twice materiality.

6.43 "Top-up" testing. Top-up testing is a form of judgmental selection designed to provide low levels of substantive assurance. Top-up testing is appropriate when Reliance on Controls, analytical procedures, and targeted testing have provided most, but not all, of the assurance considered necessary by the audit team. Since targeted testing is generally preferable to top-up testing, the audit team would ensure that the maximum benefit had been obtained from targeted testing before turning to top-up testing. Top-up testing would also be appropriate where a particular residual risk needs to be addressed but the risk applies to a relatively small element of a financial component. For example, a top-up sample of overtime payments might be appropriate where the overtime population is relatively homogeneous, as targeted testing might be ineffective in such circumstances.

6.44 Top-up testing is not an appropriate technique when substantive tests of details constitute the primary source of audit evidence for a significant financial statement component. In such circumstances, the auditor would apply dollar unit sampling (see below) after taking into account targeted testing parameters. Top-up testing would also not be appropriate if it was providing the majority of assurance relating to a residual risk whose population was more than two times materiality.

6.45 Selection sizes for top-up testing can range from 12 to 20 items. Deciding which end of the range is appropriate will depend largely on CAKE and the other testing being performed. For example, if a significant portion of the substantive assurance will come from the test results (perhaps because targeted testing is not practical), the higher end of the range would be appropriate. Conversely, if the test is being done only to add to assurance gained from a variety of other tests, the lower end of the range will be sufficient. Over time, as the team's CAKE increases (and other factors remain unchanged), the number of items required should decrease (in other words, start with 20 and end with 12).

6.46 Top-up testing is designed to corroborate earlier findings. If errors are found in top-up testing, the auditor should reassess the results of earlier testing or expand the testing until a conclusion can be reached as to the presence of a material error.

6.47 Representative (statistical) sampling. In rare cases, we may find that it is either impossible or too costly to obtain audit assurance primarily from a combination of Reliance on Controls and analytical procedures. In such circumstances, we would look to statistical sampling based on "dollar unit sampling" (DUS) techniques. The audit software tool used to assist auditors in the planning, extraction, and evaluation of statistical samples is IDEA.

6.48 Before any DUS procedures can be conducted, the audit Principal should expect his/her team members to have defined the following elements:

  • the purpose (objective) of the procedure, including the assertion(s) being addressed;
  • the population from which the sample will be selected;
  • appropriate audit evidence;
  • what will constitute an error; and
  • the confidence level (or the sampling risk) for the procedure.

Refer to Practice Statement #14—Materiality and Evaluating Misstatements

6.49 Two other important sampling inputs are materiality and planned precision. Materiality, defined in the Planning Phase, relates to the maximum allowable error. The auditor normally plans to perform enough work to conclude that, based on the results of all the audit tests, the chance of the maximum possible error exceeding materiality is less than or equal to the ultimate audit risk he/she is willing to assume.

6.50 This means, for example, that the auditor cannot simply equate the net most likely errors to materiality; there must be an allowance for further possible errors. This allowance is referred to as the "precision." Planned precision is determined during the Planning Phase, as illustrated below.

Planned Precision Illustrative Example

 
Overstating (Understating)
Current Year's Income
Materiality for the engagement

 

$300,000
  • Expected aggregate errors in current year's net income (Net of the reversing impact of prior years' errors)
($50,000)
 
  • Cushion to allow for fact that current year-end audit results may exceed those anticipated in (1)
(20,000)
(70,000)
Planned precision (should normally not be less than half materiality, in this case $150,000)
 
$230,000

Statistical Sampling—Extent of Testing Decisions

6.51 The extent of testing will be performed at one of two levels: moderate or high. These options are outlined in the table below.

Level of Assurance Required
Required Level of Audit Work
Moderate Representative sample (normally statistical via DUS) using a 70 percent confidence level
High Representative sample (normally statistical via DUS) using a 90 percent confidence level

6.52 Errors identified during the testing of a DUS sample should always be projected to the population subject to testing, using the appropriate methodology. Teams should use IDEA for this purpose.

Refer to Practice Statement #17—Audit Sampling

Documentation of Audit Procedures

6.53 In all cases, it is important to appropriately document

  • the nature of the tests performed (what kind of test was performed, what kind of evidence was sought);
  • the extent of the test procedures (how deeply the auditor probed, how many tests were performed, what portion of the fiscal period was covered by the tests);
  • the timing of the test procedures (when the testing was performed);
  • the results of the tests and other procedures; and
  • the conclusions reached by the auditor.

6.54 Ideally, the auditor includes as much of this information as possible in the detailed audit procedure steps. In that way, when the TeamMate file is rolled forward for the next audit, should the same audit procedures be appropriate, the auditor will need only to document the results of the tests performed and the conclusions reached. Such practices promote the execution of an efficient audit.

6.55 For each business cycle, the auditor will also document in the Summary of Comfort the level of assurance obtained from completing audit procedures (controls testing, analytics, and other substantive tests of details) for specific financial statement components and assertions.

6.56 Documentation practices should be consistent with the Experienced Auditor Principle, enabling an experienced auditor to understand the audit procedures performed, the evidence obtained, the results and conclusions reached, and all significant issues and findings observed.

6.57 When documenting the audit file according to the Experienced Auditor Principle, auditors must consider the quality of the entity's file and documentation retention policies and practices. The team members should ensure that they are familiar with the entity's practices in this regard, and adjust their file documentation practices accordingly.

ANNUAL AUDIT POLICY

The audit Principal should ensure that the audit team's documentation of audit tests and other procedures is consistent with the Experienced Auditor Principle.

Quality Reviewer's Role in Execution

6.58 The Quality Reviewer should be consulted on matters of importance, such as key audit and accounting issues, on a timely basis.

7 Annual Audit Reporting and Completion

Evaluating Audit Results

Audit Differences Identified in the Financial Statements

Refer to Practice Statement #14—Materiality and Evaluating Misstatements

7.1 As the fieldwork is being completed, the audit team should be accumulating and summarizing non-trivial errors found during testing. The purpose of this practice is to estimate the likely aggregate misstatement in the financial statements. The likely aggregate misstatement is estimated by summing

  • misstatements identified as a result of performing specific auditing procedures other than representative (statistical) samples;
  • projections of misstatements identified during auditing procedures involving statistical samples;
  • disagreements with accounting estimates;
  • disagreements about the fairness of accounting principles applied; and
  • the net effect of uncorrected misstatements in opening equity.

7.2 The Office has designed a Summary of Unadjusted Differences template in order to present non-trivial unadjusted differences, along with those corrected by the entity, in such a way that facilitates evaluation of whether, in relation to individual amounts, subtotals, or totals in the financial statements, they materially misstate the financial statements as a whole. The audit Principal should review the Summary of Unadjusted Differences and ensure that the audit team has properly accumulated and evaluated the results.

7.3 The audit Principal should always consider qualitative factors when evaluating the impact of unadjusted differences. Qualitative factors may, in certain circumstances, result in misstatements of relatively small amounts that have a material effect on the financial statements. For example, misstatements that alter performance trends, turn operating losses into operating income, or that increase management's compensation could well be considered material, even though they might be less than our quantitative measure of materiality.

7.4 The audit Principal should also give due consideration to further possible misstatements, possible overall management bias in accounting estimates, significant changes in bias from one period to the next, and the potential impact on future years' results of differences identified in the current year.

Evaluating Compliance With Authorities and "Other Matters"

7.5 All potential cases of reportable non-compliance with authorities should be referred to the audit Principal for assessment and resolution. Such situations often involve legal interpretation of the relevant facts of the case, and will normally require consultation with Legal Services. Responsibility for ensuring that Office protocol is followed, and that resolution of the matter is properly documented, rests with the Director and the audit Principal (refer to consultation methodology and policies in Chapter 8—Consultation).

7.6 Non-compliance with authorities is considered significant and reportable where there is a serious deviation from legislative and other authorities with respect to purpose, monetary limits, and other restraints.

7.7 Although compliance is normally a yes-or-no situation, the authority paragraph in the Auditor's Report refers to compliance "in all significant respects." The auditor, therefore, has to assess the significance of the non-compliance situations identified and the attitude of the entity, as not all instances of non-compliance will necessarily be reported. The following factors must be considered when evaluating the significance of a non-compliance situation:

  • the significance of the deviation in relation to the dollar materiality of the transaction(s); it may or may not be advisable to report a deviation involving small monetary amounts;
  • the importance of the deviation considering the organization's legislative mandate;
  • the level of importance of the authority (non-compliance with a statutory requirement is likely to be more serious than non-compliance with a bylaw);
  • the pervasiveness of non-compliance (for example, where a situation reported previously only in the management letter is escalating and the entity does not intend to take corrective action);
  • the motivation behind the deviation, as an accidental occurrence may be dealt with differently than a voluntary and deliberate case of non-compliance;
  • the clarity of the situation (for example, a "borderline" case when there are opposing legal opinions from the entity and the Office);
  • the need to report the situation to Parliamentarians, after giving consideration to any public or parliamentary sensitivity or known need;
  • the corrective action, if any, taken by the entity (for example, an unauthorized transaction that is subsequently approved retroactively may not warrant disclosure); or
  • the impact of reporting, as the perceived role of the Office as an agent of change may influence the entity or the government to react to and change the unwanted situation.

7.8 Issues that may constitute "other matters" are also generally complex and difficult to evaluate. Generally, a process similar to that recommended for evaluating compliance with authority issues should be followed.

  • The facts should be reconfirmed through discussion with the entity.
  • There should be consultation with specialists in the Office, as appropriate.
  • The critical factors used in arriving at the conclusion should be explained.
  • The "other matter" and its final resolution should be properly documented.

Reporting Compliance With Authorities and "Other Matters"—Crown Corporations and Other Entities

7.9 Reporting the results of auditing compliance with authorities must be done in accordance with the legislative audit mandate or the terms of the engagement. For Crown corporations, significant non-compliance with the authorities specified in the FAA would be reported in the compliance paragraph as a "reservation." Significant non-compliance with other authorities would be reported as an "other matter."

7.10 The standard Office wording of Auditor's Reports for Crown corporations is used where there are no reservations.

Refer to Practice Statement #19—The Auditor's Report—Other Communications (emphasis of matter, other matter and non-compliance with authorities)

7.11 Depending on the significance of the non-compliance situation and results of discussions with the entity, any reservation of opinion could be presented in one of the following ways:

  • a description of the situation in a separate paragraph between the opinion on the fairness of the financial statements and the opinion on compliance with authorities, with an "except for" and reference to the reservation paragraph in the opinion on compliance paragraph; or
  • a brief description of the non-compliance situation in the compliance paragraph, with the use of "except for."

7.12 It is advisable that any situation of non-compliance not included in the Auditor's Report be included in the management letter and fully discussed with management and those having oversight responsibility for the financial reporting process (such as an audit committee).

7.13 Additional information is available in "Audit Guide on Reporting ‘Other Matters' in Annual Audits" on the Annual Audit INTRAnet site.

Reporting Compliance With Authorities—Public Accounts of Canada

7.14 The results of all compliance with authority work carried out by the Office should be considered in assessing audit assurance on the compliance-related information included in the Summary Financial Statements of the Government of Canada.

7.15 All compliance with authorities work, whether under performance audits or Crown corporation and other separate opinion audits, provides audit assurance on this information.

Reporting on Fraud and Errors

7.16 The auditor should communicate, on a timely basis, with appropriate levels of management regarding any fraud, suspected fraud, or non-trivial errors identified during the course of the audit. The auditor should consider communicating these matters to those with oversight responsibility for the financial reporting process, regardless of whether the error was corrected or whether the fraud or suspected fraud has a material impact on the financial statements. Guidance on reporting occurrences of wrongdoing and fraud can be found in "Wrongdoing and Fraud Audit Guide" on the INTRAnet site.

7.17 The auditor should always inform such a body (audit committee or equivalent) of those misstatements identified during his/her examination that management declined to correct because they were considered immaterial, individually or in aggregate, to the financial statements taken as a whole. The auditor would also communicate, where appropriate, any concerns of a reporting nature that might be construed as "fraudulent financial reporting."

7.18 Opportunities identified by the auditor to help strengthen the organization's risk assessment processes (as they pertain to the prevention and detection of fraud and error), the related control framework, and cultural values would be communicated to the entity in the form of a management letter.

TeamMate Documentation

7.19 Audit findings, such as audit differences, non-compliance issues, management letter comments, and planning points, are documented as "Exceptions" in TeamMate. This feature provides a consistent format for documenting issues and findings in the audit file. They are grouped by category of findings and require information on the nature of the observation along with their implication, recommendation, and management response. Exceptions are easily accessible by all team members through the Exception Viewer. In addition, TeamMate allows team members to create an Exception Report that can be used in the preparation of subsequent reports and communications.

Final Analytical Procedures

7.20 Prior to issuing an Auditor's Report, final analytical procedures should be performed. These generally consist of a high-level review of the financial statements and related management performance reports (which could include non-financial information) in order to provide assurance that the financial statements, taken as a whole, are consistent with the team's understanding of the business, the results of the audit procedures, and management's own analyses.

7.21 Final analytical procedures normally confirm judgments made during the audit. However, the auditor should be alert for unusual or unexpected balances or relationships, which might indicate that additional audit procedures are warranted. For example,

  • planning materiality may have been set too high (for example, planning materiality was based on budgeted expenditures, and actual expenditures are significantly lower);
  • component balances expected to be insignificant may have become material since the planning Phase of the audit; and/or
  • changes in one or more component balances may indicate a heightened risk of fraud or the presence of error.

7.22 Before undertaking significant new audit work, the audit Principal and/or the Director would seek out adequate explanations and/or corroborative evidence to explain these unexpected results (where appropriate).

Quality Reviewer's Role in Reporting

7.23 The Quality Review function is a critical component of the Quality Management System for annual audit, particularly during the Reporting Phase. For detailed guidance on this function, refer to "Quality Reviewer Guidance for Annual Audit" on the INTRAnet site.

ANNUAL AUDIT POLICY

On those audits for which a Quality Reviewer has been appointed, the audit Principal is responsible to ensure that the Quality Reviewer

  • is involved on a timely basis;
  • receives the information needed to perform his/her review of the Execution and Reporting phases of the audit; and
  • has completed his review and agreed to the documentation of the disposition advice provided prior to recommending signature of the Auditor's Report.

Annual Audit Practice Team Review

7.24 The Annual Audit Practice Team (AAPT) financial statement review has two broad objectives:

  • to ensure that there is a consistent approach to significant audit issues throughout the Office; and
  • to ensure that Auditor's Reports conform to professional reporting standards and are appropriate to the financial statements presented.

7.25 The AAPT's specific responsibilities are to assess

  • the clarity, accuracy, and completeness of the financial statements and accompanying notes;
  • the appropriateness of the financial statements presented in meeting the needs of the entity's users and in conforming with all legal and professional reporting requirements; and
  • the appropriateness of the Auditor's Report.

7.26 To facilitate the AAPT's review, the audit Principal is responsible for performing an initial review of the draft financial statements and Auditor's Report. Subsequent to his/her review, the audit Principal will provide the AAPT with the following:

  • the draft Auditor's Report in English and French;
  • draft financial statements, including notes;
  • the Report Clearance Summary;
  • management's statement of responsibility;
  • the draft report (if prepared) to those having oversight responsibility for the financial reporting process; and
  • a financial statement review checklist.

7.27 The AAPT will review the appropriateness of the draft Auditor's Report, taking into account the financial statement presentation and format; the accounting principles followed; the clarity, accuracy, and completeness of notes to the financial statements; and other information presented to them. Based on the results of their review, the AAPT will prepare a memorandum to the audit Principal summarizing the results of the review and providing advice in areas where the AAPT believes the statements and/or the Auditor's Report could be improved. When there is mutual agreement on the issues raised in the AAPT review memorandum, and the financial statements have been finalized, the audit Principal and AAPT co-sign the memorandum. If the audit Principal declines the advice offered in areas considered by the AAPT to be critical, the audit Principal, after consultation with the AAPT, will present the relevant facts to the AAG and Auditor General, as appropriate, for resolution.

7.28 Consultation with the AAPT and policies related to this topic are discussed more fully in Chapter 8—Consultation.

ANNUAL AUDIT POLICY

The audit Principal should consult with the Annual Audit Practice Team on the draft Auditor's Report, draft financial statements, and matters of significance related to the report. The audit Principal should document his/her disposition of any advice received from the AAPT and obtain agreement on the advice disposition prior to recommending signature of the Auditor's Report.

Sensitive Issues

Refer to Practice Statement #19—The Auditor's Report—Other Communications (emphasis of matter, other matter and non-compliance with authorities)

7.29 Certain sensitive issues should be brought to the attention of the Auditor General prior to the signing of the Auditor's Report. These issues include such matters as proposed reservations of opinion, significant non-compliance with authorities, proposed "other matters," management estimates that have a significant impact on the reported results of operations, controversial professional positions, or "other matters" with the potential for broader implications beyond the audit entity alone.

ANNUAL AUDIT POLICY

The audit Principal and the responsible Assistant Auditor General should consult the Auditor General on any proposed reservations of opinion, "other matters," or any other sensitive issues, prior to the signing of the Auditor's Report.

Report Clearance Summary

7.30 The Report Clearance Summary folder in TeamMate provides a framework for the audit Principal to document completion and clearance of an annual audit (or of a special audit engagement) and a basis for the necessary reviews and approvals.

Confirm Audit Approach

7.31 In this audit step, the audit Principal confirms that the audit findings have met the objectives set out in the strategic audit approach, and that

  • there were no significant risks identified that were not already included in our planned audit approach;
  • the results of tests of controls support the intended level of reliance;
  • substantive procedures provided the planned level of audit assurance; and
  • any unusual observations made while performing the final analytical procedures have been satisfactorily addressed.

7.32 This step also involves finalizing the Summary of Comfort for each business cycle or financial statement component.

ANNUAL AUDIT POLICY

The audit Principal should ensure that the audit work has been performed as planned and that sufficient and appropriate audit evidence has been obtained for each assertion.


Report Clearance Summary Document

7.33 In completing the Report Clearance Summary template, the audit Principal provides information on significant findings or issues that should be brought to the attention of the signatory of the Auditor's Report, including the actions taken to address the findings or issues and the basis for the conclusions reached. Significant findings or issues include, but are not limited to, the following:

  • information on significant risks and response, significant judgments, new accounting/assurance standards, fraud and wrongdoing, independence, consultation, quality review (if applicable), and other relevant auditing matters;
  • any unsettled disagreements with the AAPT or Quality Reviewer;
  • an overview of the entity financial performance;
  • summarized information on the overall unadjusted differences;
  • a description of the work performed on executive compensation, travel, and hospitality;
  • information on the business cycles where audit assurance was obtained from Reliance on Controls, or where substantive steps were taken to move to controls reliance in the future; and
  • audit performance information and the anticipated costs and hours for next year's audit.

The report to those having oversight responsibility for the financial reporting process may also be referenced, to the extent that this information is included in the Report Clearance Summary.

7.34 The information contained in the Report Clearance Summary folder should be prepared at an appropriately high level of aggregation. Key discussion points and any additional steps required as a result of review should be noted in the appropriate section of the TeamMate file.

7.35 The Report Clearance Summary is normally prepared under the direction of the audit Principal. The Quality Reviewer (if one was appointed) should be consulted before the Summary is finalized and presented to the delegated signatory. If the signatory is the Auditor General, the responsible Assistant Auditor General should also approve the Summary. The signatory should be provided with a replica copy of the Reporting and Completion folder to facilitate review.

7.36 The AAPT is also to be provided with a TeamMate replica copy of the Report Clearance Summary along with the draft Auditor's Report and the financial statements and notes. Where there are unresolved differences of opinion between the audit team and the AAPT, the AAPT should be provided with the opportunity to review and provide comments on the Summary before it is finalized.

Refer to Practice Statement #8—Multi-Location (Group) Audits

7.37 For the annual audit of the Public Accounts of Canada, each entity audit team and the Central Team should prepare a Report Clearance Summary. In those rare cases where there are unresolved differences of opinion between the Central Team and the entity team, the entity team should document its opinions in the Report Clearance Summary.

Recommendation for Signature

7.38 The audit program in the Report Clearance Summary folder contains the recommendation by the responsible individual(s) that the delegated signatory sign the Auditor's Report as presented. This audit step provides standard wording and specifies matters on which explicit representations are required. The individual responsible for giving final clearance to the Auditor's Report is determined according to the Office's approved "Delegation of Signing Authority," which is available on the Annual Audit INTRAnet site.

7.39 Those reviewing and approving the Report Clearance Summary audit steps want to know quickly whether there are any exceptions to the standard representations made. Therefore, the standard wording is always to be used for the "Principal's Recommendation for Signature," "Responsible AAG's Recommendation for Signature," and "Clearance by the Audit Report Signatory," with any exceptions clearly identified, ideally through the use of coloured text.

ANNUAL AUDIT POLICY

The audit Principal should ensure that there is adequate documentation of the completion of the audit and recommendation to sign the Auditor's Report in the Report Clearance Summary folder. The Summary should then be approved by the individual with delegated signing authority.

Refer to Practice Statement #18—The Auditor's Report

Refer to Practice Statement #19—The Auditor's Report—Other Communications (emphasis of matter, other matter and non-compliance with authorities)

Signing the Auditor's Report

7.40 The Auditor General has approved a Delegation of Signing Authority for the Auditor's Reports of the Office's annual audits. Once the audit report has been signed, it is scanned into the electronic file and the original retained in the paper file for the annual audit.

ANNUAL AUDIT POLICY

The audit team should obtain the signature for the Auditor's Report in accordance with the Delegation of Signing Authority approved by the Auditor General for annual audits.

Management Letter of Representation

Refer to Practice Statement #20—Written Representations

7.41 A letter of representation is obtained for every audit and is dated so as to be effective as of the date of the Auditor's Report. A template for a generic management representation letter is available on the Annual Audit INTRAnet site.

Refer to Practice Statement #20—Written Representations

ANNUAL AUDIT POLICY

The audit Principal should ensure that a letter of representation is obtained from the appropriate level of management to be effective as of the date of the Auditor's Report.

Reporting to Those Having Oversight Responsibility for the Financial Reporting Process

Refer to Practice Statement #16—Report to the Audit Committee

7.42 The audit Principal should prepare a formal written report to the body having oversight responsibility for the financial reporting process. It should outline the results of the examination of the entity's annual financial statements and discuss all matters likely to be of significance or concern to the body's membership.

7.43 One area of particular significance to the fair presentation of financial statements is the quality of the accounting principles selected by management. To assist the body having oversight responsibility for the financial reporting process, the auditor communicates his/her professional judgments on the qualitative aspects of those accounting principles having a significant impact on the entity's financial reporting results.

7.44 The auditor should also communicate matters arising from the audit that, in the auditor's judgment, are important and relevant to the oversight body.

7.45 Some of the more important areas to discuss include the following:

  • reconfirmation of our independence;
  • the audit results in relation to each of the matters of significance identified in the planning report;
  • the results of audit procedures in areas involving significant management judgments and estimates (often included in the bullet above);
  • matters that have a significant effect on the qualitative aspects of accounting principles used in the entity's financial reporting;
  • any concerns or issues that were identified relating to asset or liability carrying values;
  • any concerns or issues that were identified in relation to the recognition (or non-recognition) of significant revenues and/or expenses;
  • an explanation of the Auditor's Report being submitted; and
  • results of our review of the client's annual report.

7.46 Other areas that should be brought to the attention of those having oversight responsibility for the financial reporting process are

  • instances of fraud identified during the audit;
  • instances of illegal, or possibly illegal, acts;
  • misstatements identified during the course of the examination that management declined to correct because they were considered immaterial, individually or in aggregate, to the financial statements taken as a whole;
  • any significant errors identified during the course of the audit that were corrected by management but which could indicate the existence of serious control weaknesses;
  • any concerns of a reporting nature that might be construed as "fraudulent financial reporting;"
  • any other areas of significant disagreements with management;
  • significant weaknesses in internal control identified by the auditor; and
  • related party transactions outside the normal course of operations and which involve significant judgments by management concerning measurement or disclosure.

7.47 The report to the oversight body should be provided to senior management of the entity for review and comment prior to being finalized. Any significant matters raised by management or the audit committee members on the content of the report to the audit committee and significant discussions should be documented in the audit file. The team should communicate in writing, in the entity's language of choice, and be prepared to communicate in both official languages.

Refer to Practice Statement #16—Report to the Audit Committee

ANNUAL AUDIT POLICY

The audit team should communicate in writing and on a timely basis with those having oversight responsibility for the financial reporting process. This report should describe the results of the audit and any significant observations and/or recommendations arising from it, as well as other information required by generally accepted auditing standards.


Meeting the Audit Committee "In Camera"

7.48 It is good practice for the auditor to meet with the audit committee without management present, as this allows for a full and frank discussion between the auditor and the audit committee. We should encourage these "in camera" sessions as a normal and constructive practice.

Review of the Annual Report

7.49 Whenever an Auditor's Report is to be included in an annual report or other published document, we should arrange to read the other information to ascertain that, based on our audit of the financial statements, we believe it to be free of any material misstatement of fact or material inconsistencies with information appearing in the financial statements. Where we believe that it is materially misleading or inconsistent, we should attempt to convince management (or the directors) to correct the other information. If the required corrections are not made, it may be necessary to refuse to sign or to withhold the use of our report. This review should be completed while the annual reports or other documents are in draft form, in order to permit any concerns the auditor may have to be acted upon before the document is finalized and printed.

7.50 Most audit entities now post their annual reports, including their audited financial statements, on the Internet. The auditor should take appropriate steps to ensure that the audit entity has accurately reproduced the financial statements, including the Auditor's Report, on the Internet. Even if we have no obligation to monitor subsequent amendments to the financial statements on the website, or those posted on other electronic sites, it is important to ensure that the entity has appropriate controls in place

  • to ensure that the financial statements posted to the Internet are accurate and complete; and
  • to prevent unauthorized changes to information.

Management Letters

7.51 During our audits, we frequently identify areas where audit entities could improve their systems of internal control and/or strengthen their financial and reporting practices. These observations are important to entity managers, and the auditor has a professional obligation to inform the appropriate level of management. This may be done orally or via a management letter. In any case, discussions and communication with management on audit observations are documented in the audit file.

7.52 Where important internal controls either do not exist or are ineffective, our management letters should include specific suggestions on how to strengthen internal controls in the entity in order to facilitate more effective management and eventual reliance. Our suggestions should not be at a level of detail that could compromise our independence for future audits. Consideration should also be given to reporting the issue to Parliament.

7.53 The implementation of a methodology based on the identification of risk of material misstatement provides us with an opportunity to add value to our management letters. By having an improved appreciation of the broader level risks facing the entity, we will be in a good position to identify other issues of interest to management.

7.54 Examples of the types of value-added matters that we should bring to the attention of management and Parliament include

  • business risks that the entity does not appear to be managing;
  • risk management strategies that do not appear to be effective;
  • key performance indicators that would enhance management controls over operations; and
  • best practices in similar organizations that the entity should contemplate implementing in its operations.

7.55 Management letters may be written in point form or in long form. Individual management letter points should include a clear description of the observation, the consequences of the observation, recommendations for improvement, and comments of managers responsible for taking corrective action.

7.56 Management letters should normally be prepared under the signature of the responsible audit Principal. They should be reviewed by the responsible Assistant Auditor General in cases where the Principal is not the delegated signing authority for the engagement.

7.57 Management letters that are not timely do not serve the interests of the entity or meet our own expectations. A draft management letter should normally be issued within one month of the date of the Auditor's Report.

7.58 Matters significant enough to be reported should be followed up in subsequent audits.

ANNUAL AUDIT POLICY

The audit Principal should ensure that the results of the audit and any significant observations and recommendations that came to his/her attention are communicated to management, on a timely basis. This communication should be in the form of a management letter, unless another form of communication is approved by the audit Principal.

Documentation Completion Requirements

Refer to Practice Statement #21—Documentation Completion Requirements

Documentation Completion Date

7.59 There are three important dates that the audit team needs to consider and document for the Reporting Phase of the audit:

  • The Audit Report Date is the date by which the auditor has identified and sought all the audit evidence required to support his/her opinion, and has obtained and examined substantially all such evidence. This date is also referred to as the date of "substantial completion of examination" and is the date indicated on the Auditor's Report.
  • The Report Release Date is the date the auditor grants permission to use the Auditor's Report in connection with the issuance of the entity's financial statements. It is the date by which the Auditor's Report has been given final clearance by the signatory and by which the financial statements have been approved by the entity's board of directors, or its equivalent.
  • The Documentation Completion Date is the date by which a complete and final set of audit documentation is assembled. This corresponds to the date on which the TeamMate audit master file is finalized through the TeamMate Finalization process. In addition to the TeamMate master file, all paper files considered as an integral part of the audit, if any, also form part of the audit file documentation.

7.60 A complete and final audit file must be assembled within 45 calendar days after the Report Release Date. In the context of TeamMate, the process of completing the audit file documentation is done through the Finalization process, which moves the master file to the Complete/Finalized stage. To move the TeamMate audit master file into this Finalized stage, all steps and working papers have to be signed off as "reviewed." All paper files considered part of the audit, if any, must also be completed and finalized in the same time period.

ANNUAL AUDIT POLICY

The audit Principal should ensure that complete and final annual audit file documentation is assembled within 45 calendar days after the Report Release Date.

On rare occasions, where an element of documentation that has no impact on the auditor's opinion is completed after the Documentation Completion Date, the audit team should obtain approval from the Assistant Auditor General.


Subsequent Changes to Audit Documentation

7.61 By the Report Release Date, the auditor should have completed all necessary auditing procedures and obtained sufficient evidence to support the representations in the Auditor's Report. The completion of the assembly of the final audit file after the Report Release Date is an administrative process that does not involve the performance of new audit procedures or the drawing of new conclusions. Changes may, however, be made to the audit documentation during the final assembly process if they are administrative in nature. Examples of such changes include

  • deleting or discarding superseded documentation;
  • sorting, collating, and cross-referencing working papers;
  • signing off on completion of TeamMate audit steps relating to the file assembly process or administrative process; and
  • documenting audit evidence that the auditor obtained, discussed, and agreed on with the relevant members of the audit team prior to the Report Release Date.

7.62 When changes in the audit documentation are required to be made after the Report Release Date as a result of new audit procedures performed or the drawing of new conclusions, including amendments, the auditor must document when and by whom the additions were made and reviewed, the specific reasons for the additions, and the effect, if any, on the auditor's conclusions.

7.63 In rare cases where additions to audit documentation would be required after the Documentation Completion Date, and in addition to the requirements on documentation after the Report Release Date, the auditor must not delete or discard audit documentation from the final audit file. Where the auditor finds it necessary to make additions (including amendments) to audit documentation after the Documentation Completion Date, the auditor should document the additions in the paper file regardless of the nature of the additions. As an example, this could be the case when the annual report is issued or when a management letter is finalized after the Documentation Completion Date.

ANNUAL AUDIT POLICY

The audit Principal should ensure that there is documentation of the specific reasons for and the impact of any additions or amendments made to the audit file as a result of new audit procedures performed and/or new conclusions drawn after the Report Release Date.

After the Documentation Completion Date, the auditor should not delete or discard audit documentation from the final audit file. Where the auditor finds it necessary to make additions (including amendments) to audit documentation after the Documentation Completion Date, the auditor should document when and by whom the additions were made and reviewed, the specific reasons for the additions, and the effect, if any, on the auditor's conclusions.

The audit Principal should obtain approval from the Assistant Auditor General for all subsequent changes to audit documentation.

Other Audit Completion Activities

This section briefly describes other important tasks included in the "Audit Completion Activities" folder.

Final Meeting With Entity Management

7.64 The audit Principal and/or the Director should meet with entity management at the conclusion of the audit. The meeting should involve a brief "lessons learned" discussion where both the auditor and the entity's management would discuss aspects of the audit that were well executed and where opportunities for improvement exist, from both perspectives. The audit team should also have a preliminary discussion with entity officials about the areas for improvement that were identified during the course of the audit, and indicate when they will receive a draft management letter.

Staff Assessments

7.65 The Director should ensure that each team member's Assignment Planning and Assessment Form was completed in a timely fashion. Performance should be assessed in relation to the objectives established at the beginning of the audit. Performance feedback to staff has more value when it is delivered as soon as practical after the completion of the audit.

Post Mortem Team Meeting

7.66 As soon as possible after the completion of fieldwork, the audit Principal and/or Director should organize a post-mortem team meeting. The main purpose of this meeting is to identify opportunities to enhance the efficiency and effectiveness of the audit, while the experience is still fresh in team members' minds. A secondary purpose is to ensure that the audit files are properly closed out and archived.

7.67 Potential agenda items for the post-mortem meeting include

  • planning points for next year (see below);
  • possible methodology improvements;
  • opportunities to improve the efficiency of the audit;
  • proposed content of the management letter;
  • business developments that may have an impact on next year's audit;
  • possible changes to audit timing and/or staffing levels;
  • relations with the entity;
  • results of the audit committee meeting(s); and
  • opportunities to improve audit quality and/or quality management issues.

Planning Points for Future Audits

7.68 Planning points raised during the current year's audit to be considered for the following year should be documented in the form of an "exception." The following year, reviewing planning point exceptions will quickly highlight all suggestions identified during the previous audit.

7.69 In order to maximize efficiency, planning points should be acted on as soon as possible following completion of the audit, while the issues they are intended to address are fresh in the minds of those preparing the suggestions.

Signed Financial Statements and Auditor's Report

7.70 The individual managing the audit should ensure that the Annual Audit Practice Team receives a copy of the final signed financial statements and Auditor's Report.

Safeguards of Audit Files

7.71 All TeamMate master files moved to the Finalized stage should be processed by the OAG's Records Office in order to comply with professional standards and the Library and Archives of Canada Act. The audit team is responsible to notify the Records Office by email that the audit file is ready for archiving, immediately after the audit file has been moved to the Finalized stage. Upon email notification from the audit teams, the Records Office captures the Finalized TeamMate file in the Records system. Copies of the most recent Finalized master files are made accessible for further references in the Historical folders of TeamMate Explorer. The Historical folders are the responsibility of the Records Office. Audit teams should not create, move, or delete any files in these folders.

Review Policy

7.72 It is the policy of the Office that a Practice Review and internal audit program be in place to provide the Auditor General with timely information, advice, and assurance about whether OAG management systems, both for audit and support activities, are suitably designed and effectively operated to support the achievement of OAG policies, principles, values, vision, and overall Strategic Plan. The OAG Policy on Practice Review and Internal Audit specifies the operating principles and responsibilities for review.

Review Continuum

7.73 Review is carried out in several ways, but all based on the audit policies, quality control criteria, and other practice expectations in place within the Office. All levels of review are designed to provide assurance that practices meet accepted standards, and to help the Office continuously improve the quality of its products.

7.74 Team self-assessment. Audit teams can review audit practices through post-audit discussions and using available Self-Assessment Checklists. Checklists act as reminders to support the team in producing a high-quality audit. They can provide a blueprint for corrective actions during the course of the audit, provide a barometer to measure the quality of the audit, expedite future internal practice and external reviews, and identify opportunities to improve team and Office practices.

7.75 Practice reviews. The Practice Review team carries out Practice Reviews of a sample of audits in order to obtain a perspective on the quality of audit and management practices. It also carries out reviews of areas of higher risks across all audits. The scope of Practice Reviews encompasses all aspects of the audit process. Practice Reviews are designed to contribute to continuous improvement by creating the opportunity for audit teams and the Office to learn from experience. As such, audit teams should consider whether their audits are impacted by communicated findings and, if so, adopt appropriate responses.

7.76 Internal audit. Internal audits of administrative functions are carried out using the same auditing standards that the Office uses when conducting audits in the government. The Internal Audit Department advises management of significant risk areas within the Office and the extent to which they are being managed. It provides information, analysis, assessments, and recommendations to assist management in the discharge of its responsibilities.

7.77 External reviews. The Office periodically appoints an external organization to carry out a review of its practices in order to confirm internal assessments and to obtain a truly independent assessment.

Other Inputs to Continuous Improvement

7.78 The Office also undertakes a variety of approaches to help identify opportunities to improve practices, including the elements described below.

7.79 Client and stakeholder surveys. The Office annually obtains feedback on its performance through consultation with its clients and stakeholders through the Post Audit Survey process.

7.80 The Post Audit Survey is an official correspondence from the Auditor General to key representatives of our audit entities—such as deputy ministers, board chairs, and audit committee chairs—that solicits feedback which helps to identify areas for improvement in our audit process. The survey covers topics such as professional relations, audit value, communications, and management of the audit. The survey is delivered to the audit committee (or equivalent) and entity senior officer at the time of delivery of the Auditor's Report. Responses are received and reviewed directly by the Auditor General.

7.81 Survey responses are collected by the Auditor General's office and forwarded to the Strategic Planning Team for detailed analysis. Reports on the results are produced and delivered to the Office's Executive Committee on a quarterly basis. All survey responses received between 1 April and 31 March of any given fiscal year are reported, in an aggregated fashion, in our annual performance report for that fiscal year.

7.82 A detailed description of the process for Post Audit Surveys and additional templates and guidance are located on the OAG INTRAnet.

ANNUAL AUDIT POLICY

The audit Principal should ensure that the Post Audit Survey letter is prepared in accordance with the Process for Post Audit Surveys and distributed at the time of delivery of the Auditor's Report to the audit committee (or equivalent).

7.83 Benchmarking and collaboration. The Office maintains relationships with provincial audit offices and audit offices in other countries. Practices are shared through exchange of information and conferences and symposia, as well as through relationships with representatives from these other audit offices. The Office also keeps informed of new developments in the field of auditing through its participation in organizations such as the Canadian Council of Legislative Auditors (CCOLA), the CCAF-FCVI Inc., the International Organization of Supreme Audit Organizations (INTOSAI), and the Canadian Institute of Chartered Accountants (CICA). The Assistant Auditor General responsible for methodology is also responsible for benchmarking our annual audit methodology. The most recent benchmarking exercise was carried out in the fall of 2008.

8 Consultation

General

8.1 We operate in a complex environment that requires teamwork, specialized knowledge, and the wisdom gained from the experience of others. The Office's Quality Management System explicitly recognizes the contributions and strengths that various groups in the Office may bring to bear in conducting quality annual audits, by establishing general standards regarding who should be consulted and when. It is rarely possible for one individual, or even a very strong audit team, to know everything that is required in order to ensure that all aspects of our Quality Management System have been adhered to in a given annual audit. As well, the profession has long recognized the value of "sober second thought" and independent review and challenge of contentious, difficult, and/or complex issues. For these reasons, consultation is a key element of almost every annual audit.

8.2 The Office has a history of working together and utilizing the knowledge and collective expertise of its staff. We have a strong corporate culture whereby difficult and/or contentious issues are resolved in a collaborative and consensus-building fashion. Our Quality Management System works in concert with this culture by requiring consultation in high-risk situations or in situations where audit teams could not reasonably be expected to have the requisite expertise to deal with specialized issues.

ANNUAL AUDIT POLICY

The audit Principal should consult with internal and external specialists and senior Office staff, as necessary, when dealing with unusual, complex, or controversial issues, or "other matters" requiring specialized knowledge or experience.

The audit Principal should ensure that members of the audit team have undertaken appropriate consultation during the course of the engagement, both within the audit team and between the audit team and others at the appropriate level within or outside the Office.

The audit Principal should ensure that conclusions resulting from such consultations have been implemented.

Documenting Consultation

8.3 Effective consultation with other professionals requires that those consulted be given all the relevant facts to enable them to provide informed advice on technical, ethical, or "other matters." The documentation of the consultation must enable an understanding of the issue on which consultation was sought, the results of the consultation, including any decisions taken, the basis for those decisions, and how they were implemented.

8.4 When applicable, documentation should include

  • the need to use a specialist and reasons for selecting a particular specialist;
  • the specialist's role in the engagement and the reason for choosing that approach;
  • important communications with the specialist, especially concerning the nature of the relationship between the audit team and the specialist, if such communications are not in writing;
  • information concerning the specialist's expertise (including qualifications), competence, and integrity;
  • information concerning the specialist's objectivity;
  • a description of the specialist's work;
  • notes concerning the audit Principal's work on the specialist's work and findings, including any review of the specialist's working papers;
  • the specialist's report and other findings, or relevant parts thereof; and
  • the audit team's assessment of the relevance of the specialist's report on the overall audit.

The Principal should also ensure that the specialist consulted agrees with the documentation of these matters.

ANNUAL AUDIT POLICY

The Principal should ensure that the nature and scope of, and conclusions resulting from, consultations are documented and agreed to by the party consulted.

Consulting the Auditor General on Sensitive Issues

8.5 Certain sensitive issues should be brought to the attention of the Auditor General prior to the signing of the Auditor's Report, even when signing authority has been delegated by the Auditor General. These sensitive issues include such matters as proposed reservations of opinion, significant non-compliance with authorities, proposed "other matters," management estimates that have a significant impact on the reported results of operations, controversial professional positions, or "other matters" with the potential for broader implications beyond the audit entity alone.

ANNUAL AUDIT POLICY

The audit Principal and the responsible Assistant Auditor General should consult the Auditor General on proposed reservations of opinion, "other matters," or any other sensitive issues prior to the signing of the Auditor's Report.

Independent Accounting and Financial Auditing Advisory Committee Independent Advisory Committee

8.6 The Independent Accounting and Financial Auditing Advisory Committee Independent Advisory Committee is a standing committee of external advisors to the Auditor General. It is made up of experienced members of the accounting profession in Canada, with a mandate to provide advice to the Auditor General on his/her annual audits of the Public Accounts of Canada, Crown corporations, and other entities.

Quality Reviewers

Practice Statement #6—Quality Control Review and Differences of Opinion

8.7 The role of the Quality Reviewer is to provide additional assurance that annual audits are conducted in accordance with professional and Office standards in key areas for engagements judged to be of higher audit risk to the Office.

8.8 The Quality Review performed by the Quality Reviewer provides an objective evaluation, before the Auditor's Report is issued, of the significant judgments made and the conclusions reached in formulating our audit opinion. The Quality Reviewer's function is an important element of the Office's quality control system. The Reviewer is involved with individual annual audits from the initial planning decisions to the delivery of the Auditor's Report and the closing of the audit file.

8.9 The extent of the Quality Review is determined by the judgment of the Quality Reviewer and depends on the complexity of the audit and the risks associated with it. A Quality Review would not involve a detailed review of all working papers, nor would it diminish the responsibility of the audit Principal for the audit.

8.10 For detailed information on matters considered in appointing a Quality Reviewer to an annual audit, the eligibility criteria for the Quality Reviewer, and the nature, timing, and extent of the reviews, see "Quality Reviewer Guidance for Annual Audit" on the Annual Audit INTRAnet site.

Practice Statement #6—Quality Control Review and Differences of Opinion

ANNUAL AUDIT POLICY

On those audits for which a Quality Reviewer has been appointed, it is the audit Principal's responsibility to ensure that the Quality Reviewer is involved on a timely basis and receives the information needed to perform his/her review.

The Quality Reviewer's involvement with the audit strategy should take place before significant fieldwork begins.

The Quality Reviewer's involvement with respect to the Execution and Reporting phases of the audit should be completed and documented before the issuance of the Auditor's Report.

Involvement of Specialists

General

8.11 Generally accepted auditing standards require that the auditor and other persons performing the audit should collectively possess adequate knowledge of the subject matter of an audit. Bringing the appropriate expertise to bear in an audit may be essential to developing a sound strategic approach and to carrying out detailed planning, testing, and reporting.

8.12 The need, if any, to involve specialists and the type of specialists will vary considerably from audit to audit and is a matter of professional judgment. The decision whether or not to involve specialists in an audit should be made by the audit Principal.

8.13 If a specialist will be used in the audit process, the Principal and the specialist should determine the nature, timing, and extent of the specialist's role. The role will vary depending on whether they are in a consulting, coaching, or completing mode, depicted in the chart below.

Involvement of Specialists graphic

8.14 For consulting, the specialist's involvement may be limited to identification of key risks based on the entity's business and changes since the prior year.

8.15 For coaching, the specialist's involvement is generally targeted at areas of change and consists of attendance at key meetings with the entity and the audit team, as well as assistance in the development of the risk assessment and Preliminary Audit Approach by Cycle. The specialist will coach the team member as he or she performs the work in the specialist's area of expertise.

8.16 For completing, the specialist performs the work in the specialist's area of expertise, which is higher risk, in a complex environment, or where significant changes have occurred. The specialist will be involved in all aspects of the audit process.

8.17 In addition, specialists are expected to ensure ongoing and effective communication with the audit team. When completing audit work, specialists are expected to ensure that the work performed and supporting documentation will ultimately provide the Reviewer with an understanding of

  • the nature, timing, and extent of the procedures performed;
  • the results of testing; and
  • the audit evidence obtained, significant judgments made, and conclusions reached.

The final documentation is expected to conform to the Experienced Auditor Principle (see Chapter 1).

8.18 Some examples of specialists that can assist in audits conducted in accordance with GAAS are as follows:

  • actuaries, with respect to the determination of actuarially computed liabilities or other amounts;
  • environmental experts, with respect to environmental liabilities and contingent liabilities, and site clean-up costs;
  • lawyers, with respect to determining whether the rights, title, and interest in financial assets have been legally transferred;
  • appraisers (for example, of real estate, works of art, and antiques);
  • IT Audit Specialists, with respect to complex aspects of information systems; and
  • tax experts, for particularly complex or unusual tax issues.

Assessing the Specialist's Work

8.19 Based on the significance of the specialist's involvement in the engagement (consulting, coaching, or completing) and on the risk associated with the use of the specialist's work and findings, the audit Principal should obtain sufficient appropriate evidence concerning the specialist's work and findings in order to consider and conclude on the reasonableness of

  • the source data used by the specialist;
  • the specialist's assumptions and methods and, where applicable, their consistency with those used in prior periods; and
  • the specialist's findings and conclusions.

The audit Principal should also conclude on the significance of the specialist's findings in relation to the whole audit.

8.20 The extent of our review of the specialist's work could vary considerably based on the significance of the specialist's involvement in the engagement and the level of assurance derived from his or her work. For example, if the specialist is used solely to provide knowledge and advise orally then review of the specialist's work may be limited. However, if the specialist actually completes audit work then review of his work should be more formal.

Annual Audit Practice Team

8.21 In addition to reviewing financial statements and Auditor's Reports, the AAPT works with audit teams to resolve complex accounting and auditing issues as they arise. Consultation generally begins with the audit team providing the AAPT with a description of the issue, a summary of research done by the audit team, alternatives considered, conclusions on issues, and the audit team's proposed course of action.

ANNUAL AUDIT POLICY

The audit Principal should ensure that the Annual Audit Practice Team is consulted on all significant difficult/complex accounting and auditing issues and that the consultation has been properly documented.

8.22 The AAPT can also assist audit teams in identifying internal and external specialists and sources of industry information.

8.23 In the Planning Phase, the AAPT can provide valuable input in helping the audit team assess the significance of potential reporting issues that have been identified, and assist in suggesting how the issues should be conveyed to those having oversight responsibility for the financial reporting process. The AAPT can also assist the audit team in performing a preliminary assessment of issues identified early in the audit process, and identifying the nature and extent of additional information needed to finalize Office positions on such matters.

IT Audit Specialist Team

8.24 The Office's annual audit methodology generally requires a member of the IT Audit Specialists team to be involved throughout the audit, beginning with the Entity Risk Analysis and continuing up to the Reporting Phase. Accordingly, consultation with IT Audit Specialists is an integral and ongoing element of most annual audits. The expected involvement of IT Audit Specialists is described in Chapter 2—General Audit Management Issues.

ANNUAL AUDIT POLICY

The audit Principal should ensure that the audit team has members with sufficient specialized IT knowledge and audit skills. Audit teams working with entities with complex computer systems must have at least one member who is an IT Audit Specialist.

8.25 Consultation with senior members of the IT audit team may be required from time to time, for example where very specialized knowledge is required or where complex issues have been identified. The decision to seek additional specialist input would normally be made by the audit Principal, after discussion with the team's IT Audit Specialist.

8.26 The IT audit team is also available to support IDEA data extractions for the purposes of carrying out substantive tests of detail and/or systems analytics. The IT audit team can be contacted to provide more information on the use of IDEA.

Financial Instruments Specialist Team

8.27 Whenever the audit entity is involved with complex financial instruments (swaps, foreign exchange exposures, derivatives, lending or insurance operations), it may be appropriate to consult with the Financial Instruments (FI) team. Consultation at an early stage may contribute to ensuring that reporting considerations are properly addressed well before the Reporting Phase of the audit is reached.

8.28 The need for involving FI Specialists on individual audits is a matter of professional judgment. The decision as to whether FI expertise is required should be made by the audit Principal.

Legal Services

8.29 Legal Services is responsible for providing legal advice and counsel to the Office. This includes providing advice on

  • legal issues arising during the course of audits;
  • the engagement of outside legal counsel; and
  • in-house legal issues in areas such as personnel relations, labour relations, and contracting.

ANNUAL AUDIT POLICY

The audit Principal should consult Legal Services on matters that present legal risks for the Office.

8.30 Matters that may require consultation with Legal Services include

  • questions involving the mandate of the entity;
  • identification by the audit team of potential legal issues;
  • legal advice forming the basis of a reservation in the Auditor's Report, for example, relating to non-compliance with authorities or an "other matter";
  • the inclusion of legal advice in annual audit documentation (such as the Report Clearance Summary) that will be reviewed by the audit report signatory;
  • substantive discussions planned with the Department of Justice or the legal services units of an entity;
  • the intention of a Principal to refer in the Auditor's Report to a legal opinion obtained by the audit entity;
  • requests for new work or services being considered; and
  • third-party references made in reports.

Forensic Audit Section

8.31 Forensic Audit Section provides assistance and guidance to entity teams on matters of wrongdoing and fraud. The audit team shall consult the Forensic Audit team whenever significant fraud risk factors have been identified and/or there is evidence to suggest there may be a need for specialized forensic audit procedures. "OAG Audit Policy on Wrongdoing and Fraud," available on the Annual Audit INTRAnet site, sets out general expectations for auditors of the Office.

Consultation and the Annual Audit of the Public Accounts of Canada

8.32 The annual audit of the Public Accounts of Canada is the largest annual audit in Canada. As might be expected, it has some unique characteristics that differentiate it from other annual audits. One of these unique characteristics deals with consultation. Because the audit is structured to involve entity teams and the Central Team, two types of consultation typically occur:

  • consultation between the entity teams and the Central Team; and
  • consultation between the Central Team and other Office specialists.

8.33 The Principal(s) of the Central Team are responsible for the audit of the Public Accounts of Canada and development of the overall audit strategy as set out in the strategic approach for the annual audit of the Summary Financial Statements of the Government of Canada. As well, the Central Team has its own cluster leaders assigned to various aspects of the Public Accounts audit. Accordingly, questions that entity teams would normally direct to specialists in the Office would first be referred to the Central Team Principal (or his/her delegate) for resolution. Depending on the circumstances, the matter may then be referred to Office specialists who are independent of the Central Team. In general, entity teams would not refer matters to Office specialists without first discussing them with the Central Team Principal.

8.34 The Central Team may also find it necessary to refer matters to Office specialists. In these cases the Central Team would be expected to follow Office consultation practices.

Appendix—Annual Audit Manual (Revision June 2010)

Table of Contents

Preface—Annual Audit Manual (Revision June 2010)

Practice Statement #1—OAG Transition to new CASs

Practice Statement #2—Deviations from Office Policy and GAAS

Practice Statement #3—Senior Roles and Responsibilities for Audit Quality

Practice Statement #4—Conducting our Audits in Accordance with CASs

Practice Statement #5—Team Members' Understanding of CASs

Practice Statement #6—Quality Control Review and Differences of Opinion

Practice Statement #7—Preconditions for an Audit

Practice Statement #8—Multi-Location (Group) Audits

Practice Statement #9—Laws and Regulations in an Audit of Financial Statements

Practice Statement #10—Auditing Accounting Estimates

Practice Statement #11—Related Parties

Practice Statement #12—Going Concern

Practice Statement #13—Fraud Risk Assessment Procedures and Related Activities

Practice Statement #14—Materiality and Evaluating Misstatements

Practice Statement #15—Communicating Significant Deficiencies in Internal Control

Practice Statement #16—Report to the Audit Committee

Practice Statement #17—Audit Sampling

Practice Statement #18—The Auditor's Report

Practice Statement #19—The Auditor's Report—Other Communications (emphasis of matter, other matter and non-compliance with authorities)

Practice Statement #20—Written Representations

Practice Statement #21—Documentation Completion Requirements

Preface—Annual Audit Manual (Revision June 2010)

The June 2010 revision of the Annual Audit Manual [the "manual"], has been performed for the purpose of providing timely update related to the new Canadian Auditing Standards (CASs), while minimizing the extent of change to the manual and providing readers with a simple and effective means for identifying and understanding the CAS related changes to our methodology and practice implications.

Mindful of this purpose, the update has been implemented using an appendix of revisions to be read in conjunction with the manual rather than publishing a new version of the manual. Readers may continue to read the manual as before while referring to the appendix, where the manual makes reference to it.

Scope of the revisions to the manual—The appendix of revisions consists of 21 practice statements, each addressing a specific audit area or section of the manual impacted by the new CASs. The practice statements introduce and identify specific aspects of our methodology impacted by the new CAS's requirements followed by guidance and, as appropriate, Annual Audit (AA) policy either revised or redrafted to align with the CASs. In these specific areas where the requirements of the CASs become more prescriptive and procedural, the practice statement in this appendix introduces the CAS's requirements at the broader conceptual level and then refers the auditor to the appropriate TeamMate folder for detailed procedures and guidance.

Presentation of the revisions—Readers may easily identify revisions based on the following presentation rules:

The body of the manual essentially remains unchanged other than to include reference where appropriate, to new or revised information located in the appendix containing the Practice Statements or to indicate text superseded by a practice statement. The revisions are indicated by the following formatting:

  • superseded information remains visible for tracking purposes only and is presented as red strikeout text with reference to a relevant practice statement in blue, underlined text;
  • new information is included within the practice statements; and
  • where sections of the manual have been revised in a practice statement, new text is presented as green, underlined text.

Authority of the revisions—Although the practice statements are written in a less formal tone intended to provide auditors with a practical discussion of the impact to the attest practice, the guidance and annual audit (AA) policy contained in the practice statements are to be considered Office Methodology. Superseded information in the manual, as well as certain manual sections extracted to the practice statements, are visible as red strikeout text; however, this formatting is for tracking purposes only. These sections are no longer Office Methodology.

The following new AA policy recognizes the authority of the Practice Statements.

ANNUAL AUDIT POLICY

Guidance and policy contained within practice statements (see appendix to the manual) constitute Office Methodology and shall be afforded the same authority as the guidance and policy contained within the body of the manual. Superseded guidance and policies formatted in red strikeout remain visible to the reader for tracking purposes only and have been withdrawn as Office Methodology.

Practice Statement #1—OAG Transition to new CASs

The Preface to the CICA Handbook—Assurance revised for the adoption of CASs (Part 1) indicates that the new CASs are effective for audits of financial statements for periods ended on or after 14 December 2010. Auditing standards in effect before the issuance of the CASs are effective for audits of financial statements relating to periods ending before that date. This practice statement provides auditors with guidance and AA policy for determining when to apply the new CASs and revised Office methodology to their engagements.

OAG Transition to New CASs

Office Methodology (including the manual, guidance, templates and TeamMate) has been revised to align with the new CASs. The Office recognizes there will be a transition period during which audit teams may require guidance in determining which auditing standards and Office Methodology apply to their engagement. The following AA policy provides audit practitioners with guidance for determining the appropriate generally accepted auditing standards (GAAS) and Office Methodology to apply to their audits during the CAS transition period.

ANNUAL AUDIT POLICY

The audit Principal shall ensure the audit engagement is planned and performed in accordance with the appropriate auditing standards and Office Methodology by applying the CAS transition provisions presented below as applicable to their engagement circumstances.

  • Annual audits of years ended prior to 14 December 2010, for which the auditor expects to date the Auditor's Report prior to 14 December 2010, shall be conducted in accordance with the existing auditing standards found in Part 2 of the CICA assurance handbook and comply with Office Methodology, including related audit tools in place at the time the audit commences.
  • Annual audits of years ended on or after 14 December 2010 shall be conducted in accordance with Canadian Auditing Standards (CAS) found in Part 1 of the CICA assurance handbook and comply with Office Methodology including related audit tools revised for the adoption of CAS.
  • Annual audits of years ended prior to 14 December 2010, for which the auditor expects to date the Auditor's Report on or after 14 December 2010; the engagement leader shall consult with the Assistant Auditor General (AAG) of the PPG and the Annual Audit Product Leader to determine which auditing standards and Office Methodology to apply.

The new CICA Handbook—Assurance—The assurance handbook has been separated into 2 parts for the period of transition. Part 1 contains a complete set of audit and assurance standards revised for the new CASs. Part 2 contains a complete set of audit and assurance standards in effect prior to the new CASs. The AASB has indicated Part 2 will be withdrawn from the handbook later in 2011.

Documentation—When you are in a position where consultation with the Assistant Auditor General (AAG) of PPG and the Annual Audit Product Leader is required by the above policy, the audit file should include documentation of the consultations and the conclusions.

Practice Statement #2—Deviations from Office Policy and GAAS

CAS 230, Audit Documentation, requires that if, in exceptional circumstances, the auditor judges it necessary to depart from a CAS requirement, which is otherwise relevant to the circumstances of the engagement, the auditor shall document how alternative audit procedures achieved the aim of that requirement, and the reasons for the departure. This practice statement provides revised guidance and AA policy regarding deviations from Office policies and GAAS, which should otherwise be relevant or applicable to an engagement.

AA policy at paragraph 6 of the manual section "How to Use This Manual" addresses departures from GAAS and/or policy. It has been revised below to reflect the CASs requirement to consider alternative procedures when deviating from a required CAS procedure.

How to Use This Manual

6. There is an expectation that the framework for conducting annual audits described in this manual will be followed by all Office staff. However, while it is recognized that no system is applicable in every circumstance, exceptions to Office policies, methodology, and supporting guidance and tools should be rare. When we do not comply with an AA policy and/or TeamMate audit procedure, which would normally be relevant to the circumstances of the engagement, the audit Principal shall ensure the audit objectives of the policy or procedure not performed that are met through appropriate alternative procedures. In these rare situations, the audit Principal should obtain the concurrence of his/her Assistant Auditor General (AAG) and, in exceptional circumstances, that of the Auditor General.

ANNUAL AUDIT POLICY

Staff (Office employees and contractors) shall comply with AA policies and Generally Accepted Auditing Standards (GAAS) and shall apply Office Methodology. In those rare instances where it is considered inappropriate or impractical to comply with Office policies or GAAS and procedures, which would normally be relevant to the circumstances of the engagement, the audit Principal shall document in the audit file, the reason for the departure, how the objectives of the policy and/or procedures that are not performed are met through appropriate alternative procedures, and obtain approval from the responsible Assistant Auditor General prior to finalization or revision of the audit approach. Deviations should be communicated to the Quality Reviewer. consult with the Annual Audit Practice Team, and document the deviation.

Documentation—When deviating from AA policy and/or procedures, the auditor should refer to TeamMate procedure D.4—Conclusion on CAS Objectives to identify the CAS objective impacted by the deviation and to ensure alternative procedures are appropriately designed to achieve the stated CAS objective. Our reasons for the departure, how we achieved the CAS objective impacted by the deviation, and AAG approval should be documented in TeamMate at C.7.PS Finalization of the Audit Plan and it should be communicated to the Quality Reviewer.

Practice Statement #3—Senior Roles and Responsibilities for Audit Quality

CSQC-1, Canadian Standard on Quality Control, provides audit firms with requirements for certain firm-wide policies and procedures necessary to establish and maintain a system of quality control. A comparative analysis of the Office's Quality Management System (QMS) to the new CSQC-1 has identified certain requirements related to the Leadership Responsibilities for Audit Quality for which the Office's senior roles and responsibilities need to be more clearly aligned. These leadership roles and responsibilities for audit quality have been identified as the Assistant Auditor General, Annual Audit Product Leader, the Professional Practices Group, quality reviewers, and other senior OAG committees or parties involved in audit products, as they relate to quality.

This practice statement replaces paragraph 9 and revises the Roles and Responsibilities section of the manual at paragraphs 2.43 to 2.45 and the Quality Assurance Service Roles and Responsibilities section of the manual at paragraphs 2.66 through 2.68 to integrate the new "Senior Roles and Responsibilities for Audit Quality" policy approved by the executive committee in response to the above QMS review. Below are the manual sections as extracted and revised.

Methodology Support

9. The Product Leader for Annual Audit is responsible for the ongoing support of the annual audit policies, methodology, and supporting guidance and tools described in this manual. Questions regarding interpretation or the application of particular aspects of the Office's approach should be directed to the Product Leader for resolution. As well, innovative practices and suggestions for improvement are appreciated and will be used to enhance the methodology and to improve practices throughout the Office.

Audit Team Roles and Responsibilities

2.43 Audit team members have responsibilities for corporate management, people management, audit management and delivery, entity relations, and internal and external communication. The following discussion outlines the key responsibilities of the various members of an audit team for audit management and delivery.

2.44 The Assistant Auditor General (AAG) is accountable to the Auditor General for final products and responsible for providing assurance to the Auditor General that audit engagements in their portfolio are carried out in compliance with Office policies, professional standards and the Office's Quality Management System. As such, the primary functions of the audit AAG for audit quality are to:

  • provide strategic input to shape the objectives of the audit;
  • identify anticipated contentious issues and monitor actions to address such issues;
  • provide assurance to the AG that the audit engagements in their portfolio are carried out in compliance with Office policies, professional standards and the Office's Quality Management System; and
  • ensure that resources provided to them are managed effectively and efficiently in conducting the audits within their portfolio.
  • provides strategic vision and advice, and performs a management challenge role regarding the purpose of the audit, methodology, findings, and cost;
  • approves the audit strategies, objectives, and plans developed by Principals as well as the recommendations from external advisors. The degree of AAG involvement is riskbased and depends on the experience of the team and the sensitivity of entity issues. Of particular importance is the AAG's timely involvement during the Planning Phase and oversight during reporting;
  • ensures appropriate staffing of audits. After considering advice from product line committees, the AAG is accountable to the Auditor General for the use of resources on products;
  • ensures that the Office's position on topics is consistent and encourages "no surprises" audits for the entity; and
  • ensures that there is a riskbased longterm strategy for audits of the entity and that all work meets audit standards. The AAG participates in audit committee meetings, as appropriate, and helps identify "valueadded" opportunities in the committees' work.

For all types of audits, the AAG

  • manages senior client relations;
  • lags important or sensitive matters for the Auditor General; and
  • provides assurance of audit quality, by ensuring compliance with the quality management framework.

2.45 The Principal is accountable to the AAG for the use of resources on products, and shares responsibility with the AAG for assigning work. The Principal is also responsible for ensuring that products are delivered on time and within budget.

  • The Principal is the Engagement Practitioner as defined by the CICA Handbook and, as such, is responsible for ensuring that each engagement complies with professional standards and OAG policies. This includes ensuring that, throughout the engagement,
    • the engagement team has the necessary competencies, resources, and time to carry out the engagement;
    • team members comply with OAG conflict of interest, confidentiality, and independence requirements and have the appropriate security clearances;
    • there is appropriate planning, supervision, and review of team members;
    • discussions with other team members, internal specialists, quality reviewers, AAGs, audit leaders, methodology principals, the Deputy Auditor General (DAG), and the Auditor General are timely, appropriate, and properly documented;
    • the audit is conducted in compliance with Office policies, the audit quality control system, and professional standards; and
    • there is sufficient and appropriate evidence to support the audit's conclusions.
  • The Principal develops the audit strategies, objectives, and plans, using the audit manual for guidance. If necessary, the Principal hires contractors to conduct or help conduct the audits, and recommends external advisors for approval of the AAG.
  • The Principal also reviews all audit report drafts prior to review by the AAG, and conducts quality reviews.

The primary functions of the audit Principal (the practitioner/engagement leader) for audit quality are to:

  • be responsible for audit quality and provide assurance to the audit AAGs that their audit engagements are carried out in compliance with Office policies, professional standards and the Office's Quality Management System; and
  • ensure that resources provided to them are managed effectively and efficiently in conducting their audits.

As Engagement Leader (OAG equivalent to "Engagement Partner") and Engagement Practitioner as defined by the CICA Handbook, the audit Principal is the person in the office who is responsible for the engagement and its performance, and for the report that is issued on behalf of the Auditor General.

Accordingly, the audit Principal is responsible for the overall quality of each engagement to which they are assigned, including compliance with the Quality Management System, Office policies, and relevant professional standards. In CAS 220—Quality Control for an Audit of Financial Statements, paragraphs 8 through 23 list the specific professional responsibilities of the engagement leader (audit Principal) regarding quality control procedures for an audit of financial statements.

Quality Assurance Services Roles and Responsibilities

2.66 There are three four quality assurance services that support the Office's QMS. The first two three are involved prior to the completion of the audit, while the latter generally takes place post-completion:

  • Annual Audit Product Leader;
  • Annual Audit Practice Team (AAPT);
  • Quality Reviewer; and
  • Practice Review.

The primary functions of the Annual Audit Product Leader are to:

  • provide leadership for the annual audit product line;
  • provide oversight for the annual audit product line; and
  • contribute to the quality of individual audits.

The Annual Audit Product Leader provides leadership for the product line by:

  • monitoring significant developments that could affect the product line; and
  • leading the preparation of plans to respond to such developments.

The Annual Audit Product Leader provides oversight of the:

  • implementation of action plans to address significant developments affecting the annual audit product line and the application of Office strategic decisions and policies;
  • achievement of approved performance targets; and
  • implementation of the long-term audit schedule.

The Annual Audit Product Leader contributes to the quality of individual audits by:

  • providing input to the AAG concerning Office methodology regarding the designation of high-risk audits for purposes of assigning quality reviewers;
  • in consultation with responsible AAG, recommending additional quality control steps as appropriate for high-risk audits (e.g. convening of internal advisory committees; participation of Product Leader, DAG and Auditor General on such committees);
  • being engaged by Subject Matter Expert AAGs and by quality reviewers in the resolution of issues brought by them; and
  • being engaged on complex accounting and auditing issues to ensure consistency and appropriateness of Office positions.

2.67 AAPT's financial statement review has two broad objectives: to ensure that there is a consistent approach to significant audit issues throughout the Office; and to ensure that the Auditor's Reports conform to professional reporting standards and are appropriate to the financial statements presented.

The primary functions of the Annual Audit Practice Team (AAPT) are to:

  • provide assurance to the report signatory that the audit report, in all material respects, reflects a consistent and appropriate application of professional reporting standards and Office reporting policies;
  • provide advice to staff including audit team members, quality reviewers and Subject Matter Experts on the interpretation and application of methodology;
  • provide assurance to the report signatory that in all material respects the financial statements are prepared in accordance with the applicable financial reporting framework and that the Auditor's Report is appropriately worded; and
  • provide support as required to the Annual Audit Product Leader.

2.68 Quality Reviewers are appointed for audits generally associated with higher risk to the Office. The quality control review performed by the Quality Reviewer provides an objective evaluation of the significant judgments the audit team made and the conclusions reached in formulating our audit opinion. This takes place before the Auditor's Report is issued.

The primary function of the Quality Reviewer is to:

  • provide an objective evaluation throughout the audit process (to the audit AAG and the audit team) and before an audit report is issued (to the report signatory) of the significant judgments the audit team made and the conclusions reached in formulating the report by, among other things:
    • reviewing the planning, risk assessment and budgeting decisions of the audit team;
    • bringing to the Annual Audit Product Leader on a timely basis (within 5 days), and to the DAG and or Auditor General as necessary, any issues identified that are not addressed by the audit AAG to the satisfaction of the Quality Reviewer and that the Quality Reviewer believes puts the Office at undue risk; and
    • providing assurance to the report signatory that the main controls/steps in the Quality Management System have been applied/completed.

Practice Statement #4—Conducting our Audits in Accordance with CASs

The new CAS 200, Overall Objectives of the Independent Auditor, introduces new requirements related to conducting an audit in accordance with CAS. These new requirements include complying with ethical standards, complying with relevant requirements of the CASs, forming our auditor's opinion based on the stated objectives of the relevant CASs, and what to do if the auditor fails to achieve an objective. This practice statement provides new guidance and an AA policy aligned with the identified CAS requirements.

Conducting an Audit in Accordance with CAS

Complying with ethical requirements—In conducting our audits in accordance with CASs, we comply with relevant ethical requirements, including those pertaining to independence by adhering to our Quality Management System. Our engagement letter template and the standard Auditor's Report template located on the Financial Audit INTRAnet site include appropriate wording indicating our compliance.

Complying with relevant CAS requirements—The standard Auditor's Report under CAS requires that we state that our audit was conducted in accordance with Canadian GAAS and that we have complied with all requirements of the CASs relevant to the circumstances of the audit engagement.

Meet the objectives stated in relevant CASs—We conclude that the "overall objectives of the auditor" have been met if the stated objectives of each of the relevant CASs have been met, including the interrelationship among CASs. We also consider whether there is a need for additional audit procedures to achieve the objectives of the CASs and then evaluate whether sufficient appropriate audit evidence has been obtained to achieve the overall objective of the auditor.

Failure to achieve an objective—Failure to meet a CAS objective would at a minimum be considered a significant matter requiring appropriate consultation and documentation in accordance with Office policy. If we are unable to obtain sufficient appropriate audit evidence to meet an objective, we initiate appropriate consultations starting with the audit AAG to evaluate the impact on our Auditor's Report.

The following AA policy has been created to reflect these new requirements.

ANNUAL AUDIT POLICY

Prior to recommending the Auditor's Report for signature, the audit Principal shall consider if sufficient appropriate audit evidence was obtained to achieve the stated objectives of each of the relevant CASs or if additional audit procedures are needed.

Once satisfied that sufficient appropriate audit evidence has been obtained, the audit Principal shall conclude that the overall objective of the auditor has been achieved and, if so, recommend the Auditor's Report for signature.

If the audit Principal is not satisfied that sufficient appropriate audit evidence with respect to relevant individual CAS objectives and/or the overall objective of the auditor has been obtained, the audit AAG should be consulted to evaluate the impact on the Auditor's Report.

Documentation—Completion of TeamMate procedures and templates at  D.4—Report Clearance Summary provide the audit team with the necessary procedures and audit tools to perform and document the above AA policy.

Practice Statement #5—Team Members' Understanding of CASs

CAS 200, Overall Objectives of the Independent Auditor, requires that the audit team members have an understanding of the entire text of a CAS, including its application and other explanatory material, to understand its objectives, and to properly apply its requirements. This practice statement provides guidance and revises existing AA policy to align our practice with the CAS requirement.

Team Members' Understanding of CASs

In addition to considering the collective competencies of the audit team during the audit planning phase, the audit Principal shall consider if individual auditors possess an understanding of CASs appropriate for their role on the team. The audit Principal may consider certain factors which demonstrate this understanding such as relevant academic or professional accreditation, completion of relevant professional development courses, self-study and/or other equivalent learning, and past experience performing audits in accordance with CASs or ISAs).

AA policy at paragraph 2.45 has been revised to reflect this additional requirement.

ANNUAL AUDIT POLICY

The audit Principal shall ensure that the audit team collectively has the necessary competencies, resources, and time to perform the assurance engagement in accordance with professional standards and regulatory and legal requirements, and to enable the issuance of an Auditor's Report that is appropriate in the circumstances.

The audit Principal shall ensure each member of the audit team has an understanding of generally accepted auditing standards, specifically CASs, appropriate to their role on the team.

When the audit Principal does not have a professional accounting designation, the Assistant Auditor General will ensure the team has the necessary competencies.

Documentation—Assessment of the individual's understanding of GAAS will be considered when assigning the audit team including the implications on direction, supervision and performance of the team as discussed in the Teamwork-Briefing, Coaching and File Review section of the manual at paragraph 2.92. TeamMate procedures for documentation of this evaluation have been included at A.3.PS—Team Members.

Practice Statement #6—Quality Control Review and Differences of Opinion

CAS 220, Quality Control for an Audit of Financial Statements, requires the engagement quality review to be completed before the date of the Auditor's Report. Additionally, CAS 220 requires the Quality Reviewer to conclude and document that they are not aware of any unresolved matters. This practice statement provides supplemental guidance and revised AA policy, which addresses and integrates these CASs requirements.

Procedures to Resolve Differences of Professional Opinion

Engagement quality review—When an engagement has been assigned a Quality Reviewer, the Quality Reviewer is required to consider whether appropriate consultation has taken place on matters involving differences of opinion or other significant matters, and the conclusions arising from those consultations. Accordingly, the audit team ensures differences of opinion and other significant matters have been resolved and documented in a manner that permits the Quality Reviewer to complete their review prior to the date of the Auditor's Report.

AA policy at paragraph 2.128 has been revised to reflect the need to resolve differences of opinion in a manner that facilitates timely completion of the engagement quality review.

ANNUAL AUDIT POLICY

The audit Principal shall ensure that differences of professional opinion are addressed on a timely basis, following a three-step process: direct settlement; arbitration; and appeal.

The audit Principal shall ensure that the nature and scope of conclusions resulting from the differences of opinion resolution process are documented and agreed to by all parties consulted. before issuing

Documentation of these matters will be made available to the Quality Reviewer so that the engagement quality review may be completed prior to the date of the Auditor's Report.


Quality Reviewers

Timely completion —On audits for which a Quality Reviewer has been assigned, the audit Principal is responsible for ensuring that the information needed to complete the quality review is available in a timely manner and that the quality review is completed prior to the date of the Auditor's Report.

AA policy at paragraph 8.10 has been revised to reflect the above requirement to complete the review prior to the date of the Auditor's Report.

ANNUAL AUDIT POLICY

On those audits for which a Quality Reviewer has been appointed, it is the audit Principal's responsibility to ensure that the Quality Reviewer is involved on a timely basis and receives the information needed to perform his/her review.

The Quality Reviewer's involvement with the audit strategy should take place before significant fieldwork begins.

The Quality Reviewer's involvement in the Execution and Reporting phases of the audit should be completed and documented before the issuance date of the Auditor's Report and documented prior to the engagement documentation completion date.

Documentation—TeamMate procedures at D.4 Report Clearance Summary have been modified to reflect the revision to the above AA policy.

Practice Statement #7—Preconditions for an Audit

CAS 210, Agreeing the Terms of Audit Engagements, requires the auditor to assess whether the "preconditions" for an audit are present when evaluating whether it is appropriate to accept or continue an audit engagement. This practice statement provides guidance and revised AA policy for determining if the preconditions for an audit exist.

Approval Process and Documentation for Engagement Acceptance and Continuance

Preconditions for an audit—The preconditions of an audit must be considered each year as part of our client acceptance and continuance process. The preconditions for an audit exist when we assess the applicable financial reporting framework as acceptable and when we determine the "premise" of an audit has been met.

Acceptability of the financial reporting framework—We determine the acceptability of the financial reporting framework to be applied in the preparation of the financial statements by considering the cumulative impact of factors such as

  • the nature of the entity (for example, whether it is a business enterprise, a public sector entity or a not-for-profit organization);
  • the purpose of the financial statements (for example, whether they are prepared to meet the common financial information needs of a wide range of users or the financial information needs of specific users);
  • the nature of the financial statements (for example, whether the financial statements are a complete set of financial statements or a single financial statement);
  • whether law or regulation prescribes the applicable financial reporting framework; and
  • whether the framework consists of standards promulgated by an organization that is authorized or generally recognized as a standard setter such as Accounting Standards Board (AcSB), Public Sector Accounting Board (PSAB), International Accounting Standards Board (IASB), International Public Sector Accounting Standards Board (IPSASB), and Financial Accounting Standards Board (FASB).

The "premise" of an audit—The basis or premise of an audit is that management and, where appropriate, those charged with governance have acknowledged and understand that they have certain responsibilities that are fundamental to the conduct of an audit in accordance with CASs. We use the engagement letter, management representation letter, and standard Auditor's Report templates, which have been revised to include appropriate wording, to document the existence of the premise. These new templates are located on the Financial Audit INTRAnet site.

Legislated audit mandates—As legislative auditors, we are at times in a position in which we may not decline or withdraw from an engagement even when professional standards may have otherwise required us to decline or withdraw from an engagement. For instance, if an entity was to apply an unacceptable financial reporting framework and we are prohibited from withdrawing or declining the engagement, we may consider several reporting options, including additional communications such as an emphasis of matter paragraph, an other matters paragraph or possibly disclaimer of opinion (refer to Practice Statement #19—The Auditor's Report—Other Communications).

The AA policy at paragraph 3.5 has been revised accordingly.

ANNUAL AUDIT POLICY

The audit Principal should shall assess if the preconditions for an audit are present. Accordingly, the audit Principal shall determine the acceptability of the financial reporting framework to be applied in the preparation of the financial statements and ensure that the terms of reference for the audit engagement, significant features of the audit scope, and the responsibilities assumed are clearly set out in an engagement letter and included in a formal written communication to an oversight committee, if one exists.

If the above preconditions of an audit are not present or there are changes to the terms of the audit engagement which call into question the preconditions of an audit, the audit Principal shall consult with the AAG responsible for the audit.

Documentation—We document our assessment of the preconditions for an audit by completing TeamMate procedures and related templates at A.1.PS Client acceptance/continuance. We also use the engagement letter and standard Auditor's Report template located on the Financial Audit INTRAnet site to document the premise of the audit. The representation letter has also been modified to confirm management's assertion that it has fulfilled its audit responsibilities (refer to Practice Statement #20—Written Representations).

Practice Statement #8—Multi-Location (Group) Audits

CAS 600, Special Considerations—Audits of Group Financial Statements (including the work of component auditors), applies to group audits, in particular those that involve component auditors as defined below:

  • Group audit—The audit of group financial statements.
  • Component—An entity or business activity for which group or component management prepares financial information that should be included in the group financial statements.
  • Group Auditor—The audit Principal responsible for the group audit engagement and its performance, and for the Auditor's Report on the group financial statements that is issued on behalf of the Auditor General.

This practice statement provides auditors with guidance and AA policy for performing group audits.

Group Audits

Auditors performing group audits should refer to and apply the policies and practices of the Office's Multi-location (Group) Audits Guidance located on the Financial Audit INTRAnet site. Due to its length, this document is located on the Financial Audit INTRAnet site rather than in this practice statement. The following new AA policy recognizes the authority of this guidance as AA methodology.

ANNUAL AUDIT POLICY

Audit Principals performing the function of "Group Auditor or Component Auditor" shall ensure compliance with the policies and procedure requirements of our Annual Audit Methodology and our Quality Management System, which include, by way of reference, the policies and procedures of the document Multi-location (Group) Audit Guidance located on the Financial Audit INTRAnet site.


Documentation

Component auditors will include the following components from TeamStores in their TeamMate audit files:

  • A.4—Component Auditor—Supplementary Planning Steps
  • C.2—Component Auditor—Supplementary Audit Plan—Communication Plan with Group Auditor
  • D.13—Component Auditor—Supplementary Completion Procedures

Group auditors will include the following components from TeamStores in their TeamMate audit files:

  • A.5—Group Auditor—Supplementary Planning Steps
  • B.17—Group Auditor—Understanding the Component Auditors, Groups and Components
  • C.8—Group Auditor—Supplementary Risk Assessment, Materiality, and Audit Approach
  • D.14—Group Auditor—Supplementary Completion Procedures

Practice Statement #9—Laws and Regulations in an Audit of Financial Statements

CAS 250, Consideration of Laws and Regulations in an Audit of Financial Statements, replaces handbook section 5136, Misstatements—Illegal acts. While we may consider and possibly concurrently perform certain audit procedures with respect to reporting on compliance with authorities, CAS 250 and the following practice statement provides guidance in the context of our annual audit mandate, which requires us to assess and respond to potential risks of material misstatement to the financial statements due to non-compliance with laws and regulations.

Risk of Material Misstatement Due to Laws and Regulations

Laws and regulations impacting financial statement amounts—As part of developing our knowledge of the entity, Office methodology requires us to develop a general understanding of the legal and regulatory framework applicable to the entity and the industry or sector in which the entity operates; and how the entity is complying with that framework.

We do this by obtaining sufficient appropriate audit evidence regarding compliance with the provisions of those laws and regulations with a direct effect on the determination of material amounts and disclosures in the financial statements. Accordingly we are required to:

  1. inquire with management and, where appropriate, those charged with governance, whether the entity is in compliance with such laws and regulations; and
  2. inspect correspondence, if any, with the relevant licensing or regulatory authorities.

Remain alert for instances of non-compliance—We remain alert for instances of non-compliance or suspected non-compliance with laws and regulations that come to our attention during the course of the audit. During the team planning meetings, team members should be made aware of the applicable provisions and the expectation that they remain alert for instances of non-compliance even when not performing procedures specifically designed for auditing such compliance.

Representation of compliance—We obtain from management and, where appropriate, those charged with governance, written representations that all known instances of non-compliance or suspected non-compliance with laws and regulations relevant to the financial statements have been disclosed to the auditor. The revised management representation letter located on the Financial Audit INTRAnet site provides appropriate documentation of management's assertion of compliance. We use judgment to determine whether to obtain written representation from the Audit Committee or if inquiry with the Audit Committee is sufficient.

In the absence of identified or suspected non-compliance, we are not required to perform audit procedures regarding the entity's compliance with laws and regulations other than those set out above; however, if we do identify potential instances of non-compliance, we document the risk and ensure an appropriate audit response in our audit approach.

Our response to instances of non-compliance, reporting and communications of such instances will be addressed in accordance with the applicable Office guidance and policies related to evaluating misstatements, as well as consultation and communications on significant matters internally and with the Audit Committee.

Examples of non-compliance with laws and regulations compared to "authorities"

Non-compliance with laws and regulations may relate to specific assertions in the financial statements such as completeness of accruals or recognition of expenses for income tax or pension costs.

Non-compliance with authorities may include FAA requirements for Crown corporations to prepare corporate plans and budgets or to maintain an internal audit function. The implications of non-compliance may not directly affect recognition and measurement of transactions.

Documentation— TeamMate mandatory audit procedures have been revised to include these prescribed audit procedures. Refer to TeamMate procedures B.15—Risk of Material Misstatement due to Non-compliance with Laws and Regulations and  E.8—Laws and Regulations for detailed procedures.

Practice Statement #10—Auditing Accounting Estimates

CAS 540, Auditing Accounting Estimates, including Fair Value Accounting Estimates, and Related Disclosures, introduces certain new concepts that require performing risk assessment procedures, considering the potential for management bias relating to accounting estimates, and considering accounting estimates and areas of high measurement uncertainty, including hindsight or "back-testing" procedures to evaluate the quality of management's estimates and assumptions. The CAS also requires the auditor to consider a range of acceptable outcomes and to evaluate the appropriateness of measurement uncertainty disclosures.

This practice statement provides new guidance addressing new requirements of CAS 540 at a conceptual level; however, the reader should refer to detailed TeamMate procedures at B.12—Risk of Material Misstatement in Estimates and E.7—Estimates for detailed procedures designed to address the prescribed requirements of CAS 540.

Risk of Material Misstatement in Estimates

Assessing risk related to estimates—As we develop our knowledge of the entity and perform risk assessment procedures, we also consider the risk of material misstatement including the potential for management bias. Accordingly, we develop an understanding of the requirements of the applicable accounting framework relevant to accounting estimates for the purpose of identifying account balances and disclosures requiring management estimates. We then consider management's process to identify transactions, events or conditions requiring accounting estimation and how they make these estimates for the purpose of recognition or disclosure as required by the accounting framework. We do this for the purpose of identifying possible risks of material misstatement including the potential for management bias relating to individual accounting estimates. Based on our risk assessment, we design procedures to obtain sufficient appropriate audit evidence to enable us to evaluate whether management's accounting estimates are reasonable and, in the context of the financial statements as a whole, are free from material misstatement.

Audit response to risks—In addition to performing appropriate procedures to verify the calculation of accounting estimates, the auditor should concentrate efforts on key factors such as underlying management assumptions, the materiality of estimates individually and in the aggregate in relation to the financial statements as a whole, the estimate's sensitivity to variation and deviation from historical patterns, and the estimate's consistency with the entity's business plans, and other evidence. Transactions and events occurring between the balance sheet date and the date of the Auditor's Report may provide the most appropriate evidence to evaluate the accounting estimates as can evaluating estimates made in the prior period financial statements (i.e. "back-testing"). In the case of complex estimating processes involving specialized techniques, it may be necessary for the auditor to rely on the work of experts.

Significant risks—In addition to designing an audit response to risks, if we determine a risk to be significant, we perform certain additional procedures to further consider the higher degree of estimation uncertainty. These procedures shall include evaluating:

  • how management has considered alternative assumptions or outcomes, and why it has rejected them, or how management has otherwise addressed estimation uncertainty in making the accounting estimate;
  • whether the significant assumptions used by management are reasonable; and
  • where relevant to the reasonableness of the significant assumptions used by management or the appropriate application of the applicable financial reporting framework, management's intent to carry out specific courses of action and its ability to do so.

Documentation—Auditors should refer to TeamMate procedures at B.12—Risk of Material Misstatement in Estimates and E.7—Estimates, which have been revised to align with and provide detailed audit procedures required by CAS 540.

Practice Statement #11—Related Parties

CAS 550, Related Parties, has no Canadian equivalent prior to the adoption of ISAs and is relevant to all audits irrespective of the applicable financial reporting framework. This practice statement provides guidance at the conceptual level and refers the reader to detailed TeamMate procedures aligned with the CAS requirements.

Risk of Material Misstatement Due to Related Parties

Consistent with our risk-based audit approach, we develop our knowledge of the entity and perform our risk assessment, including obtaining an understanding of related party relationships and transactions sufficient to

  • recognize fraud risk factors, if any, arising from related party relationships and transactions that are relevant to the identification and assessment of the risks of material misstatement due to fraud;
  • conclude, based on the audit evidence obtained, whether the financial statements, insofar as they are affected by those relationships and transactions:
    • achieve fair presentation (for fair presentation frameworks); or
    • are not misleading (for compliance frameworks); and
  • ensure where the applicable financial reporting framework establishes related party requirements, we obtain sufficient appropriate audit evidence about whether related party relationships and transactions have been appropriately identified, accounted for and disclosed in the financial statements in accordance with the framework.

Understand related party relationships and transactions—Risk assessment procedures that we perform include procedures to specifically consider the susceptibility of material misstatement related to fraud or error resulting from related party relationships and transactions. These procedures shall include

  • performing management inquiry for the purpose of identifying related parties, the nature of these relationships, and any related party transactions entered into during the year; and
  • performing the procedures necessary to develop an understanding of the controls, if any, that management has established to identify, record and disclose related party relationships and transactions in accordance with the applicable financial reporting framework. We develop an understanding of the controls surrounding the authorization and approval of significant related party transactions including transactions and arrangements outside the normal course of operations.

Review certain records and documents—During the audit, we remain alert for indications of the existence of related party relationships or transactions that management have not previously disclosed. Additionally, we inspect the following documents to identify related party relationships and transactions for which we have not been informed:

  • Bank confirmations and letters of legal inquiry obtained as part of other audit procedures
  • Minutes of meetings with the board of directors, audit committee or other oversight bodies
  • Other documents as deemed necessary in the circumstances of the entity

Documentation—For all entities, regardless of the applicable financial reporting framework, we obtain this understanding and evaluate identified risks of material misstatement by incorporating this understanding into our Audit Risk Assessment activities at C.1 in TeamMate.

Furthermore, TeamStore procedures have been revised at B.13—Risk of Material Misstatement due to Related Party Transactions and E.1—Related Party Transactions to provide detailed procedures for achieving the requirements of CAS 550 and to integrate any related party risks identified in our risk-based audit approach.

Practice Statement #12—Going Concern

CAS 570, Going Concern, has no Canadian equivalent prior to the adoption of ISAs; therefore, it is not addressed in our methodology other than as part of our entity-level risk assessment and only if we become aware of certain risk indicators as required under previous auditing standards. CAS 570 provides a more rigorous set of requirements for understanding the entity, its process for evaluating the going concern assumption and its governance structure for addressing risk. This practice statement provides guidance at a conceptual level and refers auditors to our TeamMate procedures designed to address the more detailed CAS requirements.

Going Concern Assumption

Relevance of going concern assumption—The going concern assumption is to be applied for all general-purpose financial statements, unless management either intends to liquidate the entity or to cease operations, or has no realistic alternative but to do so and for special-purpose financial statements prepared in accordance with a financial reporting framework for which the going concern basis is relevant.

Going concern assumption—When the use of the going concern assumption is required and appropriate for the preparation of financial statements, assets and liabilities are recorded on the basis that the entity will be able to realize its assets and discharge its liabilities in the normal course of business.

Risk assessment—Consistent with our risk-based audit approach discussed in Key Elements of our Annual Audit Methodology, when the applicable accounting framework is a general-purpose framework or a special-purpose framework, which requires financial statements be prepared on a going concern basis, we are required to

  • obtain sufficient appropriate audit evidence regarding the appropriateness of management's use of the going concern assumption in the preparation of the financial statements;
  • conclude, based on the audit evidence obtained, whether a material uncertainty exists related to events or conditions that may cast significant doubt on the entity's ability to continue as a going concern;
  • determine the implications for the Auditor's Report; and
  • remain alert throughout the audit for evidence of events or conditions that may cast significant doubt on the entity's ability to continue as a going concern.

Many of our audit entities may not perform a going concern analysis. We consider the nature of the audit entity and use our judgment in determining whether a formal analysis is required. If management has not performed a going concern assessment, we may consider including it in our planning interviews inquiry of whether events or conditions exist that, individually or collectively, may cast significant doubt on the entity's ability to continue as a going concern. Other procedures may include the review of plans and priorities documents, ministerial directives and/or other documents that could identify risk indicators.

Risk indicators in the public sector—Going concern risks may arise, but are not limited to, situations where government support may be reduced or withdrawn, or in the case of privatization. Events or conditions that may cast significant doubt on an entity's ability to continue as a going concern in the public sector may include situations where the public sector entity lacks funding for its continued existence or when policy decisions are made that affect the services provided by the public sector entity.

Documentation—Detailed procedures for the above CAS requirements are located in TeamStore at B.14—Risk of Material Misstatement as it relates to Going Concern Assumption, and E.9—Going Concern Assumption.

Practice Statement #13—Fraud Risk Assessment Procedures and Related Activities

CAS 240, The Auditor's Responsibilities Relating to Fraud in an Audit of Financial Statements, requires the auditor to perform certain procedures to identify the risk of material misstatement due to fraud in an entity's financial statements. While the requirements of CAS 240 are not significantly different from previous GAAS requirements, TeamMate mandatory audit procedures have been revised to improve guidance provided to auditors and to ensure appropriate fraud risk considerations and related procedures are performed. This Practice Statement highlights four concepts of the fraud standard for which our methodology has been updated. These concepts include: maintaining professional skepticism, performing fraud inquiries, the presumption of significant risk due to management override of controls, and issuing timely communications. In addition, AA policies summarizing our key responsibilities related to fraud have been revised.

Risk of Material Misstatement Due to Fraud

Maintaining professional skepticism—Unless we have reason to believe the contrary, we accept records and documents as genuine; however, if conditions identified during the audit lead us to believe that a document may not be authentic or has been modified but not disclosed, further investigation is required. Where responses to management inquiries or to those charged with governance are inconsistent, the auditor shall further investigate the inconsistencies.

Performing fraud inquiries—In order to complete the fraud assessment, the audit team conducts interviews with those within the organization, including management and others within the entity; those charged with governance, and the entity's internal audit function during the planning phase of the audit to assess the risk that the financial statements are materially misstated due to fraud. If we identify possible risks of material fraud, we carry these items to our Audit Risk Assessment and respond as required by our annual audit methodology.

Detailed audit procedures for performing these risk-assessment procedures including inquiry have been included in the revised TeamMate procedures. Questions to be answered in order to make the assessment can be found in the following templates attached to TeamMate folder B.11—Risk of Material Misstatement due to Fraud :

  • B.11.1—Fraud Risk—Management Inquiries;
  • B.11.2—Fraud Risk—Internal Audit Inquiries; and
  • B.11.3—Fraud Risk—Audit Committee Inquiries.

Auditors should also complete the "Fraud Risk Factors" checklist located on the Financial Audit INTRAnet site to determine the risk of the financial statements being materially misstated due to fraud. If indicators of fraud have been observed, consult with the responsible AAG and the Forensic Audit Section to design further audit procedures. If we believe we have obtained evidence to suggest fraud exists, we consult with Legal Services to ensure an appropriate audit response.

Presumption of significant risk of management override of controls —While the level of risk of management override of controls will vary from entity to entity, the risk is nevertheless present in all entities; therefore, irrespective of our assessment of the risks of management override of controls, we design and perform audit procedures to respond to this risk. As such, the potential for management override of controls shall for all entities be presumed to be a "Significant risk requiring special audit consideration." Consequently, this risk shall always be included in our Audit Risk Assessment and the Preliminary Audit Approach by Cycle.

Issuing timely communications—The timing of our communications with management and with those charged with governance concerning information that indicates fraud may exist should occur as soon as practicable.

Accordingly, the following policies from paragraphs 4.68 and 4.74 of the AA manual have been revised.

ANNUAL AUDIT POLICY

The audit Principal shall ensure that the team has assessed and discussed the susceptibility of the entity to material misstatements in the financial statements due to fraud and error, that auditors understand they are to maintain an attitude of professional skepticism throughout the audit, and that the planned responses include risk assessment procedures and procedures addressing to the identified risks as well as the risk of management override. The audit Principal ensures these risks and related audit procedures have been discussed and approved at the team planning meeting and are documented in the audit file Risk Assessment Form.


ANNUAL AUDIT POLICY

In planning the audit, the audit Principal shall consider the risk of material misstatements in the financial statements resulting from fraud and error.

If during the course of the audit, information is obtained that indicates fraud may exist, the audit Principal shall consult the responsible AAG, the Forensic Audit Section and Legal Services to ensure an appropriate audit response.

Information indicating fraud shall be communicated as soon as practicable with the appropriate level of management.

Information questioning the integrity or honesty of management or indicating possible fraud involving management, employees with significant roles in internal controls, or others, which could result in material misstatement in the financial statements, shall be communicated to the Audit Committee or equivalent body as soon as practicable.

Documentation—TeamMate procedures and related templates at C.1—Annual Attest Audit—Risk Assessment and C.3—Preliminary Audit Approach by Cycle have been revised to reflect the presumption of significant risk related to management override of controls. Additionally, E.5—Fraud has been revised to include necessary audit procedures to respond to this assessed risk.

Practice Statement #14—Materiality and Evaluating Misstatements

CAS 320, Materiality in Planning and Performing an Audit requires the auditor to consider and apply different levels of materiality. CAS 450, Evaluation of Misstatements Identified during the Audit, requires that the auditor requests management to correct all misstatements, determine if uncorrected misstatements are material individually or in aggregate, and to ask those charged with governance to correct any uncorrected misstatements. The following practice statement provides AA policy that includes by way of reference new guidance and policy developed to provide auditors with improved methodology for determining materiality and evaluating misstatements.

Materiality and Evaluating Misstatements

The documents OAG Methodology on Materiality and OAG Methodology on Evaluating Audit Differences represent Office Methodology and should be applied in conjunction with the manual. Due to the length of these documents, they are located on the Financial Audit INTRAnet site rather than in this practice statement.

ANNUAL AUDIT POLICY

The audit Principal shall be involved in establishing the appropriate levels of materiality: overall materiality; planning materiality; materiality for particular items (if applicable); and the de minimis Summary of Unadjusted Differences (SUD) posting level.

Audit Principals shall ensure compliance with policies and practices included in this manual by way of reference to the OAG Methodology on Materiality and OAG Methodology on Evaluating Audit Differences located on the Financial Audit INTRAnet site.

Documentation—We document our materiality calculations and considerations using the template provided in TeamMate at C.3—Preliminary Audit Approach by Cycle.

Practice Statement #15—Communicating Significant Deficiencies in Internal Control

CAS 265, Communicating Deficiencies in Internal Control to Those Charged with Governance and Management, requires the auditor to determine, on the basis of the audit work performed, whether, individually or in combination, deficiencies in internal control constitute "significant deficiencies" and to communicate appropriately with management and those charged with governance. This practice statement provides guidance related to considering the significance of deficiencies and communicating them to the Audit Committee.

Gaining Assurance Through Reliance on Controls

Significant deficiencies—When control deficiencies have been observed during the audit, we consider whether, individually or in combination, these deficiencies are "significant." We communicate all significant deficiencies to the Audit Committee, including those known to the Audit Committee and management due to previous audit communications, but where remedial action has not been taken, or even in instances in which management and the Audit Committee have chosen not to remedy due to cost or other considerations.

Significant deficiencies in internal controls are typically control deficiencies, which individually or in combination, would not mitigate (prevent or detect) an identified risk of material misstatement that we believe has a reasonable likelihood of occurring. Significant deficiencies may, therefore, exist even though we have not identified misstatements during the audit.

Refer to CAS 265 paragraphs A5 through A11 for additional guidance and examples of significant deficiencies in internal control.

Un-remedied significant deficiencies—If previously observed deficiencies are not remedied, we inquire with management, and if appropriate, the Audit Committee to determine why appropriate remedial actions have not been taken. The auditor should consider if the lack of a reasonable explanation is in itself a significant deficiency, and repeat our previous communication of the deficiency.

Accordingly, the policy at paragraph 5.45 of the AA manual has been revised.

ANNUAL AUDIT POLICY

When a reliance on controls approach cannot be adopted because of deficiencies weaknesses in internal control, the audit Principal shall ensure that the nature of these deficiencies weaknesses and the team's suggestions to strengthen them are reported in a management letter.

The audit Principal shall communicate in writing all significant deficiencies in internal controls as well as those control deficiencies that, in the auditor's professional judgment, are of sufficient importance to merit the attention of management.

Significant deficiencies shall be communicated to the Audit Committee, including all significant deficiencies identified during the audit and those previously communicated to the Audit Committee for which appropriate remedial actions have not yet been taken even when management has made the decision not to remedy them because of cost or other considerations.

Depending upon our assessment of the significance of these control deficiencies weaknesses, the audit Principal should also consider reporting them to those with oversight responsibility for the financial reporting process and, in extreme cases, to Parliament.

Where significant deficiencies are not remedied, the auditor shall communicate progress if any, ask management or, where appropriate, the Audit Committee why the significant deficiency has not yet been remedied and consider if a failure to act, in the absence of a rational explanation, may in itself represent a significant deficiency.

Documentation—The form and content of our communications with management and with the Audit Committee are detailed in TeamMate D.3—Report to the Audit Committee—Audit Results and the Report to the Audit Committee—Annual Audit Results template located on the Financial Audit INTRAnet site. AA policy at paragraph 5.45 of the manual section, Gaining Assurance through Reliance on Controls, has been revised to address the requirements for communicating significant control deficiencies.

Practice Statement #16—Report to the Audit Committee

CAS 260, Communications with Those Charged with Governance, requires certain communications with "those charged with governance." Many of the required communications in CAS 260 are similar to our existing practices; therefore, changes are subtle and have been incorporated into our standard templates. This practice statement provides areas of impact on Office policy and practices. Readers may also refer to Practice Statement #15—Communicating Significant Deficiencies in Internal Control.

Report to the Audit Committee—Annual Audit Plan

Identification of the persons with whom the auditor is required to communicate—We identify and confirm with the entity the person or persons considered to be those charged with governance for the purposes of the audit and related communications, usually the Audit Committee or equivalent body. Additionally, we establish expectations for the timing and nature of such communications. Audit procedures and detailed guidance have been included within TeamMate mandatory procedures C.6—Report to the Audit Committee—Audit Plan to assist the auditor to meet this requirement and the Report to the Audit Committee (RAC)—Annual Audit Plan template located on the Financial Audit INTRAnet site has been updated.

Communicate on a timely basis—We confirm communication expectations in the RAC—Annual Audit Plan by indicating matters we expect to communicate including other significant matters we may communicate. Certain matters must be communicated as soon as practicable, which may not necessarily mean in the next agreed communication such as the RAC—Annual Audit Results. Such matters include significant control deficiencies or other significant matters.

We use judgment to determine the appropriate timing for communicating matters requiring the Audit Committee's attention. When considering the timing, we consider the significance of the matter, including considerations such as if unresolved could the matter result in a modified audit opinion or an other matters or emphasis of matter paragraph being included in the Auditor's Report. We also consider whether the Audit Committee may be able to assist with the resolution of a matter.

Evaluating adequacy of two-way communications—We are required to evaluate the effectiveness of the communication with those charged with governance. There is an expectation that communication will be two-way, and that those charged with governance will communicate with us the matters they consider relevant to the audit, for example, strategic decisions that may significantly affect the nature, timing and extent of audit procedures, the suspicion or the detection of fraud, and concerns with the integrity or competence of senior management.

If the communication process is not considered appropriate, we need to take appropriate actions to improve the process and consider the impact on our risk assessing. Audit procedures and detailed guidance has been included within TeamMate mandatory procedures C.6—Report to the Audit Committee—Audit Plan to assist the auditor to meet this requirement.

The AA policy at paragraph 7.47 of the manual has been revised to reflect these additional CAS requirements as it relates to our audit results communications.

ANNUAL AUDIT POLICY

The audit team shall communicate in writing and on a timely basis with those having oversight responsibility for the financial reporting process. This report should describe the results of the audit and any significant observations and/or recommendations arising from it, as well as other information required by generally accepted auditing standards.

The audit Principal shall ensure significant issues identified during the course of the audit such as significant control deficiencies and/or matters, which could impact the Auditor's Report, are communicated to management and those having oversight responsibility for the financial reporting process as soon as practicable.

The audit Principal shall evaluate the effectiveness of this two-way communication process and where necessary take appropriate actions to improve the process and consider the impact on the Audit Risk Assessment.

Documentation—Auditors shall use and amend as appropriate the templates Report to the Audit Committee—Annual Audit Plan and Report to the Audit Committee—Annual Audit Results located on the Financial Audit INTRAnet site.

Practice Statement #17—Audit Sampling

CAS 530, Audit Sampling, has no Canadian equivalent prior to the adoption of ISAs; however, our methodology contains sufficient guidance and AA policy to address the requirements of the CAS with the exception of guidance on sampling deviations and techniques for investigating the nature and cause of deviations and misstatements. This practice statement provides guidance on these audit areas.

Audit Sampling

Sampling deviations—Only in "extremely rare" circumstances do we consider sampling differences to be an anomaly and, therefore, not projected for the purposes of inclusion in the SUD. Instead we perform additional audit procedures to obtain a high degree of "certainty" that these differences do not affect the remainder of the population and are, therefore, not representative. This implies significant rigour and requires a high degree of assurance.

Investigative techniques—Further to investigating differences, the CAS provides useful guidance discussing considerations for analyzing deviations and misstatements. These considerations include looking for common features, for example, type of transaction, location, product line or period of time. In such circumstances, we may decide to identify all items in the population that possess these common features, and extend audit procedures to those items. By stratifying populations based on common characteristics, we are able to focus our procedures on probable risks and possibly identify a strata of the original population for which the misstatements are representative and therefore projected.

Documentation—For guidance on documenting our error projections and preparing the SUD, refer to the document OAG Methodology on Evaluating Audit Differences located on the Financial Audit INTRAnet site. For additional guidance on audit sampling related to controls testing, refer to Controls Testing Guidance located on the Financial Audit INTRAnet site.

Practice Statement #18—The Auditor's Report

CAS 700, Forming an Opinion and Reporting on Financial Statements, provides auditors with a new reporting framework for a complete set of "general-purpose financial statements." Certain areas of change related to the reporting model are reflective of concepts contained in CAS 200, Overall Objectives of the Auditor, and CAS 210, Agreeing the Terms of the Audit Engagement, which have been presented in the following practice statements:

  • Practice Statement #4—Conducting our Audits in Accordance with CASs;
  • Practice Statement #5—Team Members' Understanding of CASs; and
  • Practice Statement #7—Preconditions for an Audit.

This practice statement provides guidance and revised AA policy on certain concepts relating to the form of the Auditor's Report as well as areas of impact to our practice.

The Auditor's Report

Standard form of the Auditor's Report—We express an unmodified opinion when we conclude the financial statements are prepared, in all material respects, in accordance with the applicable financial reporting framework. The template for our standard form Auditor's Report revised for CASs is located on the Financial Audit INTRAnet site. Audit teams shall use the template, modified as necessary to ensure appropriate wording is used, given our audit findings and conclusions.

Modified opinion—If we conclude, based on the audit evidence obtained, that the financial statements as a whole are not free from material misstatement, or we are unable to obtain sufficient appropriate audit evidence to conclude that the financial statements as a whole are free from material misstatement, we modify the opinion in the Auditor's Report. The audit Principal shall consult with the responsible AAG on issues that may indicate the financial statements are materially misstated or when they are unable to obtain sufficient appropriate audit evidence to achieve a relevant CAS objective. In such instances, auditors should refer to Practice Statement #4Conducting our Audits in Accordance with CASs .

The Auditor's Report—The required form and content of the Auditor's Report includes several new requirements including a description of management's responsibilities, and a more robust description of the auditor's responsibilities. Additionally, following the opinion paragraph, we will include a report on legal and other regulatory requirements where we provide an opinion related to our legislative reporting requirements.

Date of the Auditor's Report—We date our Auditor's Report no earlier than the date on which we have obtained sufficient appropriate audit evidence on which to base our opinion on the financial statements and the date of approval of the financial statements. As part of determining if we have obtained sufficient appropriate audit evidence we ensure the completion of the quality control review and that we have received management's representation letter. The date of approval of the financial statements is the date on which all the statements that comprise the financial statements, including the related notes, have been prepared and those with the recognized authority have asserted that they have taken responsibility for those financial statements.

Date of approval of the financial statements—The date of approval shall be the date we obtain financial statements approved by those with the recognized authority to approve the financial statements. Those with recognized authority may vary depending on the governance structure and/or enabling legislation of the entity; however, in practice the date of approval of the financial statements will often be the date the board of directors has passed a resolution to approve the financial statements. When considering who those with the recognized authority are, we note that Audit Committees are usually authorized to recommend approval of the financial statements to the board and do not actually approve the statements.

ANNUAL AUDIT POLICY

The audit Principal shall ensure an appropriately worded Auditor's Report is prepared based on the results of the audit evidence obtained and that the Auditor's Report is appropriately dated. The Auditor's Report shall be dated no earlier than the date the financial statements have been approved by those with the authority to approve the financial statements.

Documentation—Audit teams will use the OAG audit reporting tool/template to ensure a consistent and appropriate form and content for all our Auditor's Reports. The Auditor's Report is then documented in TeamMate at section D.1.PS—Auditor's Report.

Practice Statement #19—The Auditor's Report—Other Communications (emphasis of matter, other matter and non-compliance with authorities)

CAS 706, Emphasis of Matter Paragraphs and Other Matter Paragraphs in the Independent Auditor's Report, provides the auditor with the opportunity to provide other communications in the Auditor's Report without modifying the auditor's opinion. These other communications are known as emphasis of matter and other matter. This practice statement provides guidance and new AA policy for other communications in the Auditor's Report.

The Auditor's Report—Other Communications (emphasis of matter and other matter paragraphs and compliance with authorities)

Other communications in the Auditor's Report relate to issues of significance to the reader of the financial statements, yet do not alter the auditor's opinion regarding the fair presentation of the financial statements. These issues may be communicated in the Auditor's Report as either an "emphasis of matter" paragraph or an "other matter" paragraph.

Emphasis of matter paragraph—An emphasis of matter paragraph is a paragraph included in the Auditor's Report that refers to a matter that is appropriately presented or disclosed in the financial statements that, in the auditor's judgment, is of such importance that it is fundamental to users' understanding of the financial statements.

An emphasis of matter should be rare and limited to matters appropriately presented or disclosed in the financial statements, be presented following the opinion paragraph, and clearly state that the auditor's opinion is not modified with respect to the matter. Because an emphasis of matter paragraph does not represent a modification to our opinion of the fair presentation of the financial statements, it should not be used to address matters inappropriately presented or disclosed in the financial statements. Circumstances that could lead to an emphasis of matter paragraph may include:

  • an uncertainty relating to the future outcome of exceptional litigation or regulatory action;
  • early application (where permitted) of a new accounting standard (for example, a new International Financial Reporting Standard) that has a pervasive effect on the financial statements in advance of its effective date; and
  • a major catastrophe that has had, or continues to have, a significant effect on the entity's financial position.

Refer to CAS 706 appendix 3 for an example of an Auditor's Report with an emphasis of matter paragraph.

Other matter paragraphs related to GAAS reporting requirements—An other matter paragraph is a paragraph included in the Auditor's Report that refers to a matter other than that presented or disclosed in the financial statements that, in the auditor's judgment, is relevant to users' understanding of the audit, the auditor's responsibilities, or the Auditor's Report. The other matter paragraph is placed immediately after the opinion paragraph and after any emphasis of matter paragraph. Circumstances that could lead to other matter paragraphs may include:

  • explaining why we cannot withdraw from an engagement where a scope limitation imposed by management is pervasive, yet we are unable to withdraw from an engagement by law; and
  • restricting distribution or use of the financial statements when the Auditor's Report is addressed to specific users, yet the financial statements have been prepared using a general-purpose framework.

Refer to CAS 706 appendix 2 for other instances in which the standards require the use of other matter paragraphs in the Auditor's Report.

Other matter paragraphs related to our legislative reporting responsibilities—When we wish to include an other matter paragraph in our Auditor's Report to draw the readers' attention to a matter that relates to our legislative reporting responsibilities or any other reporting requirements in addition to the CASs requirements, the paragraph should be included in a section subtitled Report on Other Legal and Regulatory Requirements. Examples may include our responsibilities under the FAA to report "other matters" if they come to the auditor's attention during the course of the audit of the financial statements. See the standard audit report template for appropriate placement and wording for our more common legislative reporting requirements.

Other legislative reporting requirements (compliance with authorities)—The CASs will not impact our legislative reporting requirements other than to require where such matters are presented in our Auditor's Report. The Auditor's Report template located on the Financial Audit INTRAnet site, which we use when preparing our Auditor's Report, provides guidance on format and presentation of matters related to our legislative reporting requirements (non-compliance with authorities). While there is no change to our audit practice with regards to compliance with authorities, auditors should ensure appropriate internal consultations and communication with the audit entity for instances of non-compliance with authorities.

Consultation with the audit AAG—When circumstances exist that may indicate the need for an emphasis of matter paragraph, other matter paragraph or reporting non-compliance with authorities within the Auditor's Report, the responsible AAG should be consulted. We consider whether the matter alters our opinion regarding the fair presentation of the financial statements; if not, we consider whether the matter warrants communication as an emphasis of matter or an other matter paragraph in the Auditor's Report and if so the appropriate wording is included.

Communication with the Audit Committee—When we expect to include in the Auditor's Report an emphasis of matter paragraph, other matter paragraph or report non-compliance with authorities, we shall communicate with the Audit Committee on a timely basis. We communicate in a manner that explains the nature of any specific matters and provides the Audit Committee with the opportunity to obtain further clarification where necessary and provides proposed wording to be included in the Auditor's Report. The significance of the matter and the Audit Committee's ability to help resolve or clarify the matter if necessary will impact the timing of this communication. If significant and/or the Audit Committee may help resolve a matter, communication should occur as soon as practicable.

Recurring matters—Where the inclusion of another matter paragraph on a particular matter in the Auditor's Report recurs on each successive engagement, the auditor may determine that it is unnecessary to repeat the communication on each engagement. An emphasis of matter paragraph provides information fundamental to the understanding of the reader of the financial statements; therefore, if circumstances recur in successive engagements, the emphasis of matter paragraph shall be repeated.

ANNUAL AUDIT POLICY

In circumstances where the audit team identifies an issue of significance to the audit, the audit Principal will consult with the responsible AAG to determine the impact, if any, on the Auditor's Report.

If the audit Principal and the responsible AAG conclude a significant issue will impact the Auditor's Report as a modified opinion, emphasis of matter paragraph, other matter paragraph or non-compliance with authorities, the audit Principal shall communicate with the Audit Committee in a timely manner his/her expectation to issue a non-standard Auditor's Report including the nature of the matter and proposed wording of the modified opinion or other communications paragraph(s).


Sensitive Issues

7.29 Certain sensitive issues should be brought to the attention of the Auditor General prior to the signing of the Auditor's Report. These issues include such matters as proposed reservations of opinion, that result in modifications to our standard Auditor's Report, including modifications to our opinion paragraph, proposed other communications such as emphasis of matter or other matter paragraphs, and/or reporting significant non-compliance with authorities. , proposed "other matters"Other sensitive issues may include instances of management estimates that have a significant impact on the reported results of operations, controversial professional positions, or "other matters" with the potential for broader implications beyond the audit entity alone.

ANNUAL AUDIT POLICY

The audit Principal and the responsible Assistant Auditor General should consult the Auditor General on any significant issues resulting in proposed modifications to the standard Auditor's Report reservations of opinion, "other matters," or any other sensitive issues, prior to the signing of the Auditor's Report.

Documentation—Audit teams will use the OAG audit reporting tool/template to ensure a consistent and appropriate form and content of our Auditor's Reports. The Auditor's Report is then documented in TeamMate at section D.1.PS—Auditor's Report. We document significant issues leading to other communications in the Auditor's Report in the audit file in a manner which is consistent with the experienced auditor principle.

Practice Statement #20—Written Representations

CAS 580, Written Representations, refers to the management representation letter and requires it be in writing and dated as near as practicable to the audit report date. This practice statement provides guidance and revised AA policy.

Management Letter of Representation

Representation letter as audit evidence—The management representation letter serves to provide audit evidence that we have obtained written representations from management and, where appropriate, those charged with governance that they believe that they have fulfilled their responsibility for the preparation of the financial statements and for the completeness of the information provided to the auditor.

Audit evidence—The management representation letter is considered a key source of audit evidence and, therefore, must be dated as near as practicable, but not after the date of the Auditor's Report. If we do not receive the management representation letter, then we cannot issue an unmodified Auditor's Report. Auditors should make every attempt to obtain representation from management; however, if all attempts fail, they should consult the AAG to escalate resolution of the matter and consult AAPT as appropriate to ensure the Auditor's Report is appropriately worded.

Reliability as audit evidence—If we have concerns about the competence, integrity, ethical values or diligence of management, or the commitment to or enforcement of these values, we must consider the reliability of these representations and the reliability of audit evidence in general for the Auditor's Report and opinion. Auditors shall communicate with the responsible AAG as soon as such concerns arise.

Paragraph 7.41 and the related AA policy have been revised to reflect the change in the requirements as follows:

7.41 A letter of representation is obtained for every audit and is dated so as to be effective as of near as practicable, but not after the date of the Auditor's Report. A template for a generic management representation letter is available on the Financial Audit INTRAnet site.

ANNUAL AUDIT POLICY

The audit Principal shall ensure that a letter of representation is obtained from the appropriate level of management to be effective as of near as practicable, but not after the date of the Auditor's Report.

If there is sufficient doubt about the integrity of management such that the written representations may not be reliable or management does not provide appropriate representations, the audit Principal shall communicate with the Audit Committee and assess the impact on the Auditor's Report and consult the responsible AAG.

Documentation—The Management Representation Letter template has been revised to reflect the new requirements and is available on the Financial Audit INTRAnet. The signed management representation letter obtained from the entity will be scanned and included in the TeamMate file or placed in the hardcopy file.

Practice Statement #21—Documentation Completion Requirements

CAS 220, Quality Control for an Audit of Financial Statements, and CAS 230, Audit Documentation, require the auditor to assemble the audit file and complete the administrative process on a timely basis after the date of the Auditor's Report. Timely completion of documentation shall not extend beyond 60 days from the audit report date. This practice statement provides revised guidance and AA policy for determining the documentation completion date.

Documentation Completion Requirements

Timely completion of the audit fileDocumentation Completion Requirements at paragraphs 7.59 to 7.63 of the manual have been revised to reflect CASs requirement for file completion to be completed within 60 days from the audit report date. Below are the manual sections as extracted and revised.

Documentation Completion Date

7.59 There are two three important dates that the audit team needs to consider and document for the Reporting Phase of the audit:

  • Date of the Auditor's Report is a date no earlier than the date on which the auditor has obtained sufficient appropriate audit evidence on which to base the auditor's opinion on the financial statements and the date of approval of the financial statements. Practice Statement #18 provides practical guidance for determining the date of the Auditor's Report.
  • The Audit Report Date is the date by which the auditor has identified and sought all the audit evidence required to support his/her opinion, and has obtained and examined substantially all such evidence. This date is also referred to as the date of "substantial completion of examination" and is the date indicated on the Auditor's Report
  • The Report Release Date is the date the auditor grants permission to use the Auditor's Report in connection with the issuance of the entity's financial statements. It is the date by which the Auditor's Report has been given final clearance by the signatory and by which the financial statements have been approved by the entity's board of directors, or its equivalent.
  • Documentation Completion Date is the date by which a complete and final set of audit documentation is assembled. This corresponds to the date on which the TeamMate audit master file is finalized through the TeamMate Finalization process. In addition to the TeamMate master file, all paper files considered as an integral part of the audit, if any, also form part of the audit file documentation.

7.60 A complete and final audit file must be assembled within 45 60 calendar days after the Auditor's Report Release Date. In the context of TeamMate, the process of completing the audit file documentation is done through the Finalization process, which moves the master file to the Complete/Finalized stage. To move the TeamMate audit master file into this Finalized stage, all steps and working papers have to be signed off as "reviewed." All paper files considered part of the audit, if any, must also be completed and finalized in the same time period.

ANNUAL AUDIT POLICY

The audit Principal shall ensure that complete and final annual audit file documentation is assembled within 45 60 calendar days after the Auditor's Report Release Date.

On rare occasions, where an element of documentation that has no impact on the auditor's opinion is completed and added to the file after the Documentation Completion Date, the audit team shall obtain approval from the Assistant Auditor General.


Subsequent Changes to Audit Documentation

7.61 By the Auditor's Report Release Date, the auditor shall have completed all necessary auditing procedures and obtained sufficient evidence to support the representations in the Auditor's Report. The completion of the assembly of the final audit file after the Auditor's Report Release Date is an administrative process that does not involve the performance of new audit procedures or the drawing of new conclusions. Changes may, however, be made to the audit documentation during the final assembly process if they are administrative in nature. Examples of such changes include:

  • deleting or discarding superseded documentation;
  • sorting, collating, and crossreferencing working papers;
  • signing off on completion of TeamMate audit steps relating to the file assembly process or administrative process; and
  • documenting audit evidence that the auditor obtained, discussed, and agreed on with the relevant members of the audit team prior to the Auditor's Report Release Date.

7.62 When changes in the audit documentation are required to be made after the Auditor's Report Release Date as a result of new audit procedures performed or the drawing of new conclusions, including amendments, the auditor must document when and by whom the additions were made and reviewed, the specific reasons for the additions, and the effect, if any, on the auditor's conclusions.

7.63 In rare cases where additions to audit documentation would be required after the Documentation Completion Date, and in addition to the requirements on documentation after the Auditor's Report Release Date, the auditor must not delete or discard audit documentation from the final audit file. Where the auditor finds it necessary to make additions (including amendments) to audit documentation after the Documentation Completion Date, the auditor shall document the additions in the paper file or in the following year TeamMate file regardless of the nature of the additions. As an example, this could be the case when the annual report is issued or when a management letter is finalized after the Documentation Completion Date.

ANNUAL AUDIT POLICY

The audit Principal shall ensure that there is documentation of the specific reasons for and the impact of any additions or amendments made to the audit file as a result of new audit procedures performed and/or new conclusions drawn after the Auditor's Report Release Date.

After the Documentation Completion Date, the auditor shall not delete or discard audit documentation from the final audit file. Where the auditor finds it necessary to make additions (including amendments) to audit documentation after the Documentation Completion Date, the auditor shall document when and by whom the additions were made and reviewed, the specific reasons for the additions, and the effect, if any, on the auditor's conclusions.

The audit Principal shall obtain approval from the Assistant Auditor General for all subsequent changes to audit documentation.