COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.
8020 Recommendations and Entity Responses
Jul-2020
Overview
Recommendations to entities address areas where, if deficiencies remain uncorrected, there would be significant risks to the entity and, in some cases, to Canadians. Recommendations guide the action needed to correct the problems identified in the audit findings. Entity responses to recommendations are published in the final report.
Follow-up audits works assess progress the entity has made toward implementing recommendations or resolving significant issues from a previous audit.
CSAE 3001 Requirements
72. The practitioner’s conclusion shall be clearly separated from information or explanations that are not intended to affect the practitioner’s conclusion, including any findings related to particular aspects of the engagements, recommendations or additional information included in the assurance report. The wording used shall make it clear that findings, recommendations or additional information is not intended to detract from the practitioner’s conclusion. (Ref: Para. A158-A160)
81. The practitioner shall consider whether, pursuant to the terms of the engagement and other engagement circumstances, any matter has come to the attention of the practitioner that is to be communicated with the responsible party, the engaging party, those charged with governance or others. (Ref: Para. A190)
CSAE 3001 Application Material
A160. The practitioner may choose a “short form” or “long form” style of reporting to facilitate effective communication to the intended users. “Short-form” reports ordinarily include only the basic elements. “Long-form” reports include other information and explanations that are not intended to affect the practitioner’s conclusion. In addition to the basic elements, long-form reports may describe in detail the terms of the engagement, the applicable criteria being used, findings relating to particular aspects of the engagement, details of the qualifications and experience of the practitioner and others involved with the engagement and, in some cases, recommendations. The practitioner may find it helpful to consider the importance of providing such information to the information needs of the intended users. As required by paragraph 72, additional information is clearly separated from the practitioner’s conclusion and phrased in such a manner so as make it clear that it is not intended to detract from that conclusion.
A190. Matters that may be appropriate to communicate with the responsible party, the engaging party or others include fraud or suspected fraud.
OAG Policy
Audits shall include recommendations to the entity to point to the direction in which positive changes can be made. Recommendations are not required for each audit finding. Recommendations shall be addressed to a specific entity or, if more than one entity is involved, to clearly defined entities. [Nov-2011]
Entities shall be given an opportunity to provide written responses to recommendations that will be included in the audit report. [Apr-2015]
Follow-up audit work shall assess progress made by entities toward either implementing recommendations from the original audit or resolving the issues that the original recommendations were intended to address. [Nov-2013]
OAG Guidance
What the CSAE 3001 means for recommendations and entity responses
The CSAE 3001 cited above notes that audit reports may include, in some cases, recommendations. OAG policy goes beyond this by requiring that, as appropriate, audit reports should contain recommendations and entity responses.
It is important for the team to consider objectively the impact of the recommendation on the entity. Recommendations should encourage the appropriate action needed to correct the underlying causes of problems or improve operations, without being overly prescriptive.
Finally, the standards indicate that recommendations should be clearly separated from the conclusion.
Developing recommendations
Recommendations address areas where there are significant risks to the entity if deficiencies remain uncorrected. Audits include recommendations where the findings demonstrate the potential for significant improvement in performance. Recommendations address serious weaknesses, and they should be fully supported by and flow from the findings (OAG Audit 7021 Evaluate the sufficiency and appropriateness of audit evidence). Not every finding warrants a recommendation—only the ones with serious weaknesses. Each recommendation is written in a separate, stand-alone paragraph located in the section of the audit report where the related finding is discussed.
Recommendations guide the actions needed to correct the problems identified in the findings, but it is up to the entity to decide what these actions should be. Recommendations are
-
thought out during the examination phase;
-
entity-specific, even in government-wide and sectoral audits;
-
focused on areas of significant risk;
-
fully supported by the audit findings and conclusions;
-
consistent within the audit report and mindful of recommendations made in previous audit reports, where applicable;
-
positive in tone and content;
-
clear on the desired final outcome;
-
succinct but detailed enough to stand alone;
-
aimed at correcting the underlying causes of the weakness;
-
results-oriented, giving an indication of the intended outcome;
-
practical, such that the entity, taking into account legal and cost constraints, can implement them in a reasonable time frame; and
-
specific enough to allow for monitoring and assessing progress made in implementing them—but not overly prescriptive.
Below are some examples of sound recommendations:
-
Recommendation. National Defence should refine its estimates for complete costs related to the full life cycle of the F-35 capability, and provide complete estimated costs and the supporting assumptions as soon as possible. Furthermore, National Defence should regularly provide the actual complete costs incurred throughout the full life cycle of the F-35 capability.
-
Recommendation. Transport Canada should clarify what information on industry and aviation companies should be used in making risk-based decisions, collect that information, assess its completeness and reliability, and develop risk profiles when preparing annual surveillance plans in the regions.
-
Recommendation. National Defence should review and apply the lessons learned with these helicopter acquisitions to ensure that, for future major capital equipment acquisitions, the degree of modifications and/or development involved is fully reflected in approval documents—in the assessment of risk, project timelines, and costs—and that procurement strategies are tailored to the complexity of the equipment being acquired.
For sectoral and government-wide audits, the engagement leader discusses recommendations made to entities other than those in his or her usual portfolio with the appropriate principal responsible for that entity.
Findings that point to making a recommendation for changes to legislation are highly sensitive and need to be discussed with Legal Services with special approval from the Auditor General.
To enable the development of clearly stated and action-oriented recommendations and to provide the audited entity with the time required to prepare responses and develop an action plan, the audit team seeks the views of entity officials as early as possible, normally close to the end of the examination phase when drafting the audit report. The PX draft includes draft recommendations.
Discussions between the engagement leader and the entity’s senior management at this stage include the suitability and practicality of the draft recommendations and the entity’s likely responses to them (OAG Audit 8019 Submitting the principal’s (PX) draft and transmission draft).
Performance audits
Recommendations are intended to address significant risks and improve deficiencies. They guide the actions needed to correct the problems identified.
Special examinations
Recommendations are intended to improve the systems and practices in the Crown corporation for safeguarding public assets, the economical and efficient use of resources, and the effectiveness of operations.
Entity responses to recommendations
The audit team begins drafting recommendations in preparation for the principal’s (PX) draft, and discusses responses with the entity as early as possible. By the time the transmission draft is issued, the entity responses to recommendations must be included in it. Publishing an audited entity’s response to a recommendation gives the entity the opportunity to indicate whether it agrees or disagrees with the recommendation, and what actions it intends to take and when. The response also provides a starting point for following up on the audit.
The OAG has established limits on the content and publication of entity responses and will not normally publish
- general responses to audit reports;
- entity responses where no recommendations have been made; or
- entity responses where, in the case of a follow-up on a previous audit, no new recommendations have been made.
It is not appropriate for entities to use responses to refute audit findings. Every effort is made to resolve disputes about the validity and completeness of audit findings during earlier discussions (OAG Audit 8019 Submitting the principal’s (PX) draft and transmission draft). Because the OAG is associated with everything it publishes and because it must follow professional standards, it will not publish anything that it believes is false or misleading. Responses are located right after the related recommendations.
Entity responses are required to clearly indicate if the entity agrees or disagrees with the recommendation. All responses must be kept to a maximum of 200 words, and should include actions that the entity’s senior management intends to take to respond to the recommendation. If the entity does not agree with the recommendation, the response must state the reason. This reason is also included in the audit report.
The response narrative must be consistent with the “Agreed” or “Disagreed” statement. It should also include actions, timelines, and clear accountability, all of which provide a basis for a potential future follow-up. The OAG determines whether the response wording is appropriate and sufficient. If agreement is conditional or partial, as a last resort only, the audit team, in consultation with the assistant auditor general, can consider changing the response to “Partially agreed” and communicate this to the entity. This option is available to the audit team but is not given to the entities and should only be used in exceptional circumstances.
The OAG encourages the audit committee to play an active role in reviewing and assessing the adequacy of the entity’s responses to the recommendations. When more than one entity has been audited, a joint response or multiple responses from each entity is acceptable. The audit team will inform the audited entity of any significant editorial changes to their final responses.
Below are some examples or responses that are not adequate:
In this first example, the response indicates that the Department disagrees with the finding (i.e., it is already doing what is recommended).
Recommendation. The Department should improve its reports on the market debt by . . .
Response. Agreed. Where feasible, the Department will aim to improve the information content of our reports. We would note, however, that compared to its peers, Canada is already among the most informative in terms of . . . The Debt Management Strategy and Debt Management Report are among the most transparent documents of the G20 countries with respect to describing the government’s debt strategy as well as providing performance outcomes. New metrics have been added to recent reports . . .
In this second example, the response indicates that the Department believes that it is already doing what is recommended, and that the ability to implement the recommendation depends on Government of Canada policies.
Recommendation. The Department should follow through on its previous commitments to develop meaningful performance measures and indicators.
Response. Agreed. Performance indicators should evolve and adapt to changes in the program. Existing indicators continue to provide relevant information on program activities, expenditures, and results. New indicators, however, can provide even more meaningful information if the systems to collect and report on the data can be created. System changes will be governed by Agency and Government of Canada funding and expenditure policies . . .
Performance audits
It is critical that responses are received by the specified T-minus date in order to follow the audit report production schedule. For responses not received by the specified date, the report indicates that the OAG did not receive a response in time to meet the production deadline.
Special examinations
The corporation’s responses must be received before the audit committee meets to review the final draft report. Once the team receives the Crown corporation’s responses to recommendations, the team will provide the draft report, including the responses, to the audit committee.
Follow-up audit work for performance audits
The follow-up audit work aims to assess progress made by entities to either implement recommendations from a previous performance audit or resolve the issues that the recommendations addressed. All reports that include a critical mass of follow-up audit work rate, according to the OAG’s criteria, whether progress has been satisfactory. Overall progress will be unsatisfactory if the entity has not fully implemented the more significant recommendations.
The follow-up audit portions of reports do not normally repeat recommendations from the previous report. Also, if there are findings and conclusions on new issues, the audit team may make “new” recommendations to address them. Recommendations resulting from follow-up audit work should be separate from recommendations that came out of new” audit work. The standards, policies, and guidelines for making recommendations are the same and, likewise, the entity’s responses are included in the final report.
Other issues for the attention of entity management
Sometimes the audit team identifies issues that are important enough to be brought to the attention of entity management but not necessarily to the attention of Parliament or the board of directors, or the issues may be outside the scope of the audit. For example, during an audit, an audit team may identify opportunities for entity management to improve procedures. In such instances, the audit team advises the entity (usually within one month of tabling/transmitting to the board the related report). The team communicates its findings to the deputy head, the chief executive officer or the head of the entity’s internal audit function, as appropriate. The preferred way to communicate audit findings is through a meeting with entity management. This may also be done through a management letter, in which case the Auditor General should be made aware of it. If the OAG issues a management letter, it may request a written response that includes proposed actions and target completion dates. The OAG may also choose to follow up on the issues at a later date.
Public Accounts Committee and action plans related to performance audit reports
Since October 2011, entities included in a performance audit report must provide the Public Accounts Committee with an action plan to be published on the Public Accounts Committee’s website. The plan must include specific actions, timelines for their completion, and responsible individuals—to the Public Accounts Committee and the Office of the Auditor General within six months of the audit being tabled, or prior to the Public Accounts Committee hearing. Performance audit reports tabled by the Commissioner of Environment and Sustainable Development are not referred to the Public Accounts Committee so there is no requirement for action plans from entities connected to CESD reports.