4090 Audit Plan Summary for Performance Audits
Aug-2021

Overview

The OAG provides the audited entities with a summary of the audit plan (including audit objective, criteria, and scope and approach) and requests that the deputy head of each audited entity formally acknowledge responsibility for the subject matter of the audit and acknowledge the terms of the engagement, including the suitability of the criteria as a basis for concluding on the audit objective. This is done through a document called the audit plan summary.
 

CSAE 3001 Requirements

24. The practitioner shall accept or continue a direct engagement only when: (Ref: Para. A31-A34)

[...]

(c) The basis upon which the engagement is to be performed has been agreed, through:

[...]

(ii) Confirming that there is a common understanding between the practitioner and the engaging party of the terms of the engagement, including the practitioner’s reporting responsibilities.

29. The practitioner shall agree the terms of the engagement with the engaging party. The agreed terms of the engagement shall be specified in sufficient detail in an engagement letter or other suitable form of written agreement, written confirmation, or in law or regulation. (Ref: Para. A55-A57)

30. The practitioner shall seek the responsible party’s written acknowledgement of responsibility for the underlying subject matter. If the practitioner does not obtain such acknowledgement, the practitioner shall:

(a) obtain other evidence that the responsible party is responsible for the underlying subject matter, such as a reference to legislation or a regulation; and

(b) consider how the lack of the responsible party’s written acknowledgement might affect the practitioner’s work and conclusion.

31. The practitioner shall seek to obtain from the responsible party, written acknowledgement that the criteria are suitable for the engagement. When such acknowledgement cannot be obtained, the practitioner shall consider the effect, if any, on the practitioner’s work and report.

33. The practitioner shall not agree to a change in the terms of the engagement where there is no reasonable justification for doing so. If such a change is made, the practitioner shall not disregard evidence that was obtained prior to the change. (Ref: Para. A58)

47. If it is discovered after the engagement has been accepted that one or more of the applicable criteria are unsuitable, the practitioner shall, if practicable, revise the criteria and seek acknowledgement from the responsible party that the revision is appropriate. When such an acknowledgement cannot be obtained, the practitioner shall consider the effect, if any, on the practitioner’s work and report.

CSAE 3001 Application Material

A55. It is in the interests of both the engaging party and the practitioner that the practitioner communicates in writing the agreed terms of the engagement before the commencement of the engagement to help avoid misunderstandings. The form and content of the written agreement or contract will vary with the engagement circumstances. For example, if law or regulation prescribe in sufficient detail the terms of the engagement, the practitioner need not record them in a written agreement, except for the fact that such law or regulation applies and that the appropriate party acknowledges and understands its responsibilities under such law or regulation.

A56. In certain types of engagement, agreeing on the terms and conditions of the engagement may be done before the commencement of the engagement using an engagement letter. For other types of engagement (such as performance audits in the public sector), the details typically included in an engagement letter (such as the engagement objective, scope and criteria to be used) are known only at the end of the initial planning phase. In such cases, agreement on the terms of the engagement is obtained from the appropriate party at the end of the initial planning phase.

A57. Law or regulation, particularly in the public sector, may mandate the appointment of a practitioner and set out specific powers, such as the power to access an appropriate party(ies)’s records and other information, and responsibilities, such as requiring the practitioner to report directly to a minister, the legislature or the public if an appropriate party(ies) attempts to limit the scope of the engagement.

A58. A change in circumstances that affects the intended users’ requirements, or a misunderstanding concerning the nature of the engagement, may justify a request for a change in the engagement, [...]. An inability to obtain sufficient appropriate evidence to form a reasonable assurance conclusion is not an acceptable reason to change from a reasonable assurance engagement to a limited assurance engagement.

A85. Planning involves the engagement partner, other key members of the engagement team, and any key practitioner’s external experts developing an overall strategy for the scope, emphasis, timing and conduct of the engagement, and an engagement plan, consisting of a detailed approach for the nature, timing and extent of procedures to be performed, and the reasons for selecting them. [...]

A86. The practitioner may decide to discuss elements of planning with the appropriate party(ies) to facilitate the conduct and management of the engagement (for example, to coordinate some of the planned procedures with the work of the appropriate party(ies)’s personnel). Although these discussions often occur, the overall engagement strategy and the engagement plan remain the practitioner’s responsibility. When discussing matters included in the overall engagement strategy or engagement plan, care is required in order not to compromise the effectiveness of the engagement. For example, discussing the nature and timing of detailed procedures with the appropriate party(ies) may compromise the effectiveness of the engagement by making the procedures too predictable.

A87. Planning is not a discrete phase, but rather a continual and iterative process throughout the engagement. As a result of unexpected events, changes in conditions, or evidence obtained, the practitioner may need to revise the overall strategy and engagement plan, and thereby the resulting planned nature, timing and extent of procedures.

A165. The assurance report identifies the applicable criteria against which the underlying subject matter was measured or evaluated so the intended users can understand the basis for the practitioner’s conclusion. The assurance report may include the applicable criteria, or refer to them if they are otherwise available from a readily accessible source. It may be relevant in the circumstances, to disclose:

  • The source of the applicable criteria, and whether or not the applicable criteria are embodied in law or regulation, or issued by authorized or recognized bodies of experts that follow a transparent due process; that is, whether they are established criteria in the context of the underlying subject matter (and if they are not, a description of why they are considered suitable). [...]

OAG Policy

The audit team shall

  • submit the audit plan summary to the deputy head of each audited entity to seek acknowledgement of the terms of the engagement, and
  • inform the deputy head of each audited entity of any subsequent significant changes to the audit plan summary. [Nov-2016]

As part of the letter sent to the deputy head of each audited entity with the audit plan summary, the audit team shall seek entity management’s acknowledgement of the suitability of the audit criteria. When the audit team is unable to obtain such acknowledgement, the engagement leader shall consider the effect, if any, on the audit work and the audit report and shall document the assessment. [Nov-2016]

As part of the letter sent to the deputy head of each audited entity with the audit plan summary, the audit team shall seek entity management’s acknowledgement of management’s responsibility for the subject matter as it relates to the objective(s) of the audit. When the audit team is unable to obtain such acknowledgement, it shall obtain other evidence that the audited entity is responsible for the underlying subject matter, such as a reference to legislation or regulation. In addition, the engagement leader shall consider the effects of the lack of entity management’s acknowledgement, if any, on the audit work and conclusion and document the assessment. [Nov-2016]

OAG Guidance

What CSAE 3001 Means for the Audit Plan Summary

CSAE 3001 requires that the engagement leader confirms that there is a common understanding between the audit team and the audited entity concerning the terms of the engagement. Seeking such acknowledgment may help to avoid misunderstandings. The CSAE 3001 also requires the audit team to seek the audited entity management’s acknowledgement of its responsibility for the subject matter, as well as the suitability of the criteria for the audit. This is key to ensuring that the entity does not indicate later in the audit that it disagrees with key terms of the engagement.

In terms of OAG practices, these requirements are included in the letter accompanying the audit plan summary that is sent to the deputy head of the audited entity at the end of planning phase. The audited entity acknowledges the terms of the engagement along with its responsibility as set out in the audit plan summary and acknowledges that the criteria set out in the document are suitable as a basis for concluding on the audit objective.

Identifying Who is Responsible for the Subject Matter Under Audit

Within the framework of ministerial accountability to Parliament, as stated by the Privy Council Office, deputy heads

  • are responsible and accountable for a wide range of duties including policy advice, program delivery, internal departmental management, and interdepartmental coordination; and

  • carry a general obligation of accountability to the Treasury Board for the overall management capacity and performance of the department.

For this reason, the request for acknowledgement is sent to the deputy head of the entity being audited by the engagement leader.

Drafting the Audit Plan Summary

When preparing an audit plan summary, the audit team must use the OAG-approved template. The content of the template may be modified according to the professional judgment of the engagement leader to best suit the information needs of the audited entity. However, the audit team should be familiar with the relevant CSAE 3001 requirements to ensure that modifications made do not compromise these requirements.

The audit plan summary communicates key terms of the engagement to the audited entity. It includes key information from the final audit logic matrix (OAG Audit 4044  Developing the audit strategy: audit logic matrix), including the audit objective (OAG Audit 4041 Audit objective), scope and approach (OAG Audit 4042 Audit scope and approach), audit criteria and their sources (OAG Audit 4043 Audit criteria), and a summary of management’s responsibility for the subject matter of the audit. The objective of the audit plan summary is to provide sufficient information to enable entity management to understand the terms of the engagement, confirm its responsibility for the audit subject matter, and acknowledge the suitability of the audit criteria.

Once the audit plan summary is drafted, it should be reviewed and approved by the engagement leader after having been previously discussed with internal and external specialists according to the consultation process in place (OAG Audit 3081 Consultations). The engagement leader, in consultation with the assistant auditor general, may also decide that the Auditor General’s input will be sought on the scope of the engagement.

In most cases, information in the audit plan summary will later be included in the About the Audit section of the audit report (OAG Audit 7030 Drafting the audit report).

Communicating the Audit Plan Summary to the Audited Entity

The draft audit plan summary is communicated to entity management for review and comment before it is finalized. This is frequently accomplished by holding a discussion meeting with the responsible parties. Communicating the draft audit plan summary to entity’s management allows for a common understanding of what areas the audit team will examine and why, and provides an opportunity for management to comment on the content of the plan, including the audit criteria.

After the audit plan summary is finalized, the engagement leader must take into account the comments obtained from entity management, and review and approve the audit plan summary before sending it to the deputy head. The plan is accompanied by a transmission letter that includes an “acknowledgement letter template” to facilitate the deputy head’s comments and acknowledgement of the terms of the engagement, including the suitability of the audit criteria and the responsibility for the subject matter. It is important to note that this step does not delay progress of the audit—including, in some cases, early examination work. This should be made clear to the entity from the outset.

If there are any changes to the key terms of the audit (including objective, criteria, and scope and approach) after the entity signs off on the audit plan summary, these changes and their rationale are approved by the engagement leader, discussed with the quality reviewer (if any), and communicated to the audited entity. If changes are significant, the engagement leader should consider whether a revised audit plan summary should be provided to the entity. In these circumstances, the engagement leader shall not disregard evidence that was obtained before the change.

Changes to the terms of the engagement after the Plan was sent to the Entity

Sometimes in the course of the examination phase, circumstances require changes to the audit plan, to the criteria, to the examination approach, or to the level of resources. For example, the audit team may modify:

  • The objective of the performance audit, where additional risks or other changes to the risks have been identified;

  • The scope of the performance audit, as a result of a change in legislation, a change in the responsible party, or a change in the focus of the performance audit by the audit team; or

  • The applicable criteria, based on the audit team’s knowledge of the underlying subject matter.

Such changes and their rationale are documented in the audit file and approved by the engagement leader, discussed with the quality reviewer (if any), and, if significant, communicated to the audited entity.

When the audit team modifies the objective of the performance audit or the applicable criteria, the audit team may consider it necessary to seek acknowledgment of the change from the entity to avoid misunderstandings.

The practitioner should not agree to a change in the terms of the engagement if there is no reasonable justification for doing so.

Unresolved Differences

If there is a disagreement regarding the acknowledgement of management’s responsibility or the suitability of the audit criteria, or if the entity fails to respond to the audit plan summary, the engagement leader and audit team should work closely with entity management immediately to reach a resolution. If the disagreement is not resolved or a suitable response is not received, the engagement leader, in consultation with the assistant auditor general should take the issue to the Auditor General to decide on further action.

If the audit team is not able to obtain the entity’s written acknowledgement of its responsibility for the subject matter as it relates to the objective of the audit, the audit team is required by CSAE 3001 to obtain further evidence that the audited entity is responsible for the subject matter. The audit team may consult with Legal Services, as needed, to clarify the entity’s mandate and/or legal obligations. The engagement leader must also consider the impact of not obtaining this confirmation on the audit work and the audit conclusion. This assessment and actions taken by the team should be documented in the audit file.

If the audit team is not able to obtain the entity’s acknowledgement of the suitability of criteria, the engagement leader must consider the effect, if any, on the audit work and the audit report. This assessment and actions taken by the team in response should be documented in the audit file.

Any unresolved disagreement related to management responsibility for the subject matter or suitability of the audit criteria must be disclosed in the audit report, typically in the About the Audit section (OAG Audit 7030 Drafting the audit report).