COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.
12010 Direct Engagements to Report on Compliance with Specified Requirements (reports on compliance)
Jul-2019
Overview
The Canadian Standard on Assurance Engagements (CSAE) 3531, Direct Engagements to Report on Compliance, has been in effect since April 2019. CSAE 3531 covers engagements previously conducted under the CPA Handbook sections on Special Reports—Compliance with Agreements. This new standard is not expected to have a big impact on direct engagements at the Office of the Auditor General of Canada (OAG). However, if the OAG decides or is asked to carry out a direct engagement to report on compliance with specified requirements (report on compliance), audit teams will need to plan, perform, and report the engagement according to CSAE 3531. CSAE 3531 supplements, but does not replace, CSAE 3001. Engagements to report on compliance with specified requirements are narrow in scope, with a sole focus on compliance with specific requirements at an identified point in time or for a specified period of time.
CSAE 3531 Requirements
1. This Canadian Standard on Assurance Engagements (CSAE) deals with special considerations in the application of CSAE 3001 to reasonable assurance or limited assurance engagements to report on an entity’s compliance with agreements, specified authorities, or a provision thereof. The specific requirements established in agreements, by specified authorities, or a provision thereof against which compliance is measured and evaluated are referred to as specified requirements throughout this standard. (Ref: Para. A1-A4)
9. Engagements under this CSAE may relate to a wide range of underlying subject matters. Examples of engagements that fall under the scope of this CSAE include reporting on an entity’s compliance with:
- Requirements in a funding agreement specifying the purposes for which funding received by an entity must be spent;
- Requirements in leasing agreements;
- Covenants contained in loan agreements or bond indentures; and
- Performance requirements set out in policy or legislation, such as hospital wait times established by a government agency or body.
15. When performing a direct engagement within the scope of this CSAE, in addition to complying with this CSAE, the practitioner is required to comply with CSAE 3001. This CSAE supplements, but does not replace, CSAE 3001, and expands on how CSAE 3001 is to be applied in an engagement to report on compliance with specified requirements.
18. In providing assurance on an entity’s compliance with specified requirements as at a point in time, or for a specified period of time, the objectives of the practitioner are to:
(a) Obtain either reasonable assurance or limited assurance, as appropriate, about whether an entity complies with specified requirements; and
(b) Express a conclusion that conveys either reasonable assurance or limited assurance on the matter noted in (a) in accordance with the practitioner’s findings. (Ref: Para. A5)
19. For purposes of this CSAE, the following terms have the meanings attributed below:
(a) Agreements – Written arrangements between the entity and a third party including agreements, contracts or memoranda of understanding, containing requirements with which the entity must comply.
(b) Criteria – The benchmarks used to measure or evaluate the entity’s compliance with specified requirements.
(c) Internal control over compliance – An entity’s internal control to manage the risk of non-compliance with specified requirements. (Ref: Para. A6)
(d) Non-compliance – A deviation from the specified requirements. (Ref: Para. A7)
(e) Relevant parties – The parties involved in an assurance engagement. Typically, this will include the user of the practitioner’s report (who, in some circumstances, may be a regulator), the practitioner and the entity’s management, although these parties may be referred to using different terms.
(f) Significant interpretation – An interpretation of the specified requirements necessary to enable the practitioner to conduct the engagement on the entity’s compliance. An interpretation is significant if a different interpretation could be made that would change the practitioner’s conclusion.
(g) Specified authorities – Legislation, regulations, orders-in-council, directives, municipal bylaws, corporate bylaws and other instruments through which powers are established and delegated. This term is commonly used in the public sector.
(h) Specified requirements – The specific requirements established in agreements, by specified authorities, or a provision thereof, with which the entity is required to comply.
23. If the practitioner determines that the specified requirements require significant interpretation, prior to accepting the engagement, the practitioner shall consider the likelihood of being able to:
(a) In consultation with relevant parties, develop the necessary interpretation; and
(b) Seek acknowledgment from management that the interpretation is suitable.
If it is unlikely that the practitioner will meet (a) and (b) above, the practitioner shall not accept the engagement, unless required by law or regulation to do so. (Ref: Para. A10)
26. In obtaining an understanding of the entity and its environment and the specified requirements, the practitioner shall make inquiries concerning how management monitors the entity’s compliance with the specified requirements.
28. When the practitioner determines that the specified requirements require significant interpretation, the practitioner shall:
(a) In consultation with relevant parties, develop the necessary interpretation; and
(b) Seek acknowledgment from management that the interpretation is suitable. (Ref: Para. A19)
If the practitioner is unable to develop the necessary interpretation or cannot obtain acknowledgment from management, the practitioner shall take appropriate actions, as required by CSAE 3001.
29. When the specified requirements require significant interpretation, the practitioner shall evaluate the consistency between periods in the application of the interpretation of the specified requirements made by management. (Ref: Para. A20)
32. When reporting on an entity’s compliance with specified requirements as at a point in time or throughout a specified period of time, the practitioner shall evaluate activities performed by the entity to meet the specified requirements and assess the entity’s compliance with specified requirements as at the point in time or throughout the specified period of time.
33. In addition to the written representations required by CSAE 3001, the practitioner shall request representations from management: (Ref: Para. A28)
(a) Acknowledging management’s responsibility to comply with the specified requirements;
(b) Acknowledging management’s responsibility for such internal control over compliance with the specified requirements as management determines is necessary;
(c) Stating whether management has performed an evaluation of the entity’s compliance with the specified requirements;
(d) When applicable, stating management’s responsibility for significant interpretation of the specified requirements and management’s acknowledgment that the interpretation is suitable;
(e) Stating that the criteria used in the engagement are suitable;
(f) Stating that management has disclosed any communications from legislative authorities or counterparties to agreements concerning possible non-compliance with the specified requirements, including communications received between the end of the period addressed in the written statement and the date of the practitioner’s report; and
(g) Stating that management has disclosed any known non-compliance with the specified requirements occurring during the period or subsequent to the period for which, or date as of which, the practitioner concludes.
35. As soon as practicable, the practitioner shall make management aware of significant non-compliance that has come to the practitioner’s attention. (Ref: Para. A31)
36. The practitioner shall form a conclusion about whether the entity complied with the specified requirements, in all significant respects.
37. The practitioner’s report on compliance shall include, at a minimum, the following basic elements:
(a) A title that clearly indicates that the practitioner’s report is an independent practitioner’s assurance report.
(b) An addressee. (Ref: Para. A32)
(c) An identification or description of the level of assurance obtained by the practitioner.
(d) Identification or description of the specified requirements and significant interpretations, if any, including the point in time or period of time to which the measurement or evaluation of compliance relates. (Ref: Para. A33-A34)
(e) A description of management’s responsibility for the entity’s compliance with the specified requirements.
(f) A description of the practitioner’s responsibility to express a reasonable assurance opinion or a limited assurance conclusion on the entity’s compliance with the specified requirements.
(g) A statement that:
(i) The engagement was performed in accordance with this CSAE; and
(ii) This CSAE requires that the practitioner plan and perform the engagement to obtain either reasonable assurance or limited assurance about whether the entity complied with specified requirements.
(h) An informative summary of the work performed as a basis for the practitioner’s conclusion. (Ref: Para. A35-A39) In the case of a limited assurance engagement, an appreciation of the nature, timing and extent of procedures performed is essential to understanding the practitioner’s conclusion. In a limited assurance engagement, the summary of the work performed shall state that:
(i) The procedures performed in a limited assurance engagement vary in nature and timing from, and are less in extent than for, a reasonable assurance engagement; and
(ii) Consequently, the level of assurance obtained in a limited assurance engagement is substantially lower than the assurance that would have been obtained had a reasonable assurance engagement been performed.
(i) In a reasonable assurance engagement, a statement that the practitioner believes the evidence obtained is sufficient and appropriate to provide a basis for the practitioner’s opinion.
(j) A statement that the firm of which the practitioner is a member applies CSQC 1, or other professional requirements, or requirements in law or regulation, that are at least as demanding as CSQC 1. If the practitioner is not a professional accountant, the statement shall identify the professional requirements, or requirements in law or regulation, applied that are at least as demanding as CSQC 1.
(k) A statement that the practitioner complies with the independence and other ethical requirements of relevant rules of professional conduct / code of ethics applicable to the practice of public accounting and related to assurance engagements, issued by various professional accounting bodies, or other professional requirements, or requirements imposed by law or regulation, that are at least as demanding. If the practitioner is not a professional accountant, the statement shall identify the professional requirements, or requirements imposed by law or regulation, applied that are at least as demanding.
(l) A statement that the practitioner does not provide a legal opinion of the entity’s compliance with the specified requirements. (Ref: Para. A40)
(m) The practitioner’s conclusion: (Ref: Para. A41-A42)
(i) In a reasonable assurance engagement, the conclusion shall be expressed in a positive form.
(ii) In a limited assurance engagement, the conclusion shall be expressed in a form that conveys whether, based on the procedures performed and evidence obtained, a matter has come to the practitioner’s attention to cause the practitioner to believe that the entity is not in compliance, in all significant respects, with the specified requirements.
(iii) The conclusion in (i) or (ii) shall be phrased in terms of whether the entity complied with the specified requirements, in all significant respects
(n) The practitioner’s signature.
(o) The date of the practitioner’s report, which shall be no earlier than the date on which the practitioner has obtained the evidence on which the practitioner’s conclusion is based.
(p) The location in the jurisdiction where the practitioner practices.
39. The practitioner shall express a modified conclusion when the practitioner concludes that:
(a) The entity has not complied, in all significant respects, with the specified requirements; or
(b) A scope limitation exists and the effect of the matter could be significant. (Ref: Para. A49)
40. The practitioner shall describe the matter giving rise to the modification in the practitioner’s report on compliance and the practitioner’s conclusion shall be modified in accordance with CSAE 3001. (Ref: Para. A50-A51)
CSAE 3531 Application Material
A8. In an engagement letter, a written acknowledgment is the most appropriate form of documenting a mutual understanding of the respective responsibilities of management and the practitioner regarding compliance with the specified requirements. In the absence of a written acknowledgment by management, it may still be appropriate for the practitioner to accept the engagement if other sources, such as legislation or a contract, indicate the entity’s responsibility. In other cases, it may be appropriate to decline the engagement, or to disclose the circumstances in the practitioner’s report, depending on the circumstances.
A15. For a reasonable assurance engagement, CSAE 3001 requires the practitioner to obtain an understanding of internal control relevant to the engagement. In a reasonable assurance compliance reporting engagement, the practitioner obtains an understanding of the entity’s process for ensuring compliance, including controls in place and whether those controls are preventive or detective in nature, and manual or automated.
A17. In some cases, the specified requirements with which the entity is required to comply represent only a portion of an agreement or specified authority. The practitioner’s understanding of the specified requirements is intended to enable the practitioner to identify which aspect of the agreement or specified authority is applicable to the engagement.
A18. Obtaining an understanding of the specified requirements is an essential part of planning and performing the compliance engagement. That understanding provides the practitioner with a frame of reference for exercising professional judgment throughout the compliance engagement, for example, when:
-
Identifying when special consideration may be necessary, such as factors indicative of fraud and the need for specialized skills or the work of an expert;
-
Establishing and evaluating the continued appropriateness of quantitative significance levels, when appropriate, and considering qualitative significance factors;
-
Designing and performing further procedures to obtain sufficient appropriate evidence; and
-
Evaluating evidence, including the reasonableness of management’s oral and written representations.
A42. In the case of a direct compliance engagement, this conclusion is phrased in terms of whether the entity complied with the specified requirements, in all significant respects.
A50. The practitioner uses professional judgment to determine if non-compliance with the specified requirements is significant but not pervasive or significant and pervasive. Examples of qualified and adverse conclusions are:
-
Qualified conclusion (an example for a significant but not pervasive misstatement) — “Based on the procedures performed and the evidence obtained, except for the effect of the matter described in the Basis for Qualified Conclusion section of our report, ABC Company complied with the specified requirements [list the requirements or refer to the requirements (for example, “the requirements listed in Attachment 1”)], including the interpretation set out above during the period [date] to [date] [or “as at [date]”], in all significant respects.”
-
Adverse conclusion (an example for a significant and pervasive misstatement) — “Because of the significance of the matter described in the Basis for Adverse Conclusion section of our report, ABC Company does not comply with the specified requirements [list the requirements or refer to the requirements (for example, “the requirements listed in Attachment 1”)], including the interpretation set out above during the period [date] to [date] [or “as at [date]”].”
OAG Guidance
Direct engagements that report on compliance with specified requirements provide assurance on whether an entity has complied with specific requirements at a point in time, or for a specified period of time. A “specified requirement” is established in agreements, by specified authorities, or a provision thereof, with which the entity is required to comply. Among others, specified authorities or requirements can be found in legislation, regulations, directives, funding agreements, lease agreements, and loan agreements.
Although many of the OAG performance audits include examining at whether entities have followed requirements and auditors use legislation, regulations, or agreements as sources of criteria, the audits would not be automatically considered as engagements that report on compliance with specified requirements. Reporting on compliance with requirements is generally not the sole purpose of the performance audits, as the audits would also include an examination of whether government programs are being managed with due regard for economy, efficiency, and environmental impact, and whether there are measures in place to determine their effectiveness. Similarly for special examinations, the work may include an assessment of a specific authority, but the objective is not solely to report on compliance.
CSAE 3531 includes illustrations of reports on compliance. A compliance report is typically about 500 words, where the opinion (conclusion) of whether the entity has complied with the requirements is stated. In contrast, a performance audit or special exam usually contains many paragraphs, with contextual information, observations, findings, recommendations, and a conclusion.
At the end of this section, see two examples of when CSAE 3531 could apply.
Audit teams are encouraged to contact Audit Services before they decide whether their audit is a direct engagement that reports on compliance with specified requirements that should be conducted under CSAE 3531. To make their decision, audit teams should consider the purpose of the engagement, the needs of the entity, and the users of the compliance report.
Differences between a performance audit and a report on compliance, and other considerations
The Office’s Direct Engagement Manual and System of Quality Control apply to direct engagements to report on compliance with specified requirements. There are, however, some differences and additions required by CSAE 3531 which are outlined below.
Purpose of the engagement
CSAE 3531 requires audit teams to express a conclusion about whether the entity complied with the specified requirements, in all significant respects. The objective of a direct engagement under CSAE 3001 is to report whether the underlying subject matter conforms with the applicable criteria.
Risk assessment
Similarly to CSAE 3001, CSAE 3531 requires that the team obtains an understanding of the entity and its environment during the planning phase. For CSAE 3531, this means that the team must also learn about the specified requirements and make inquiries concerning how the entity monitors their compliance. The necessary procedures to obtain an understanding of the entity and its environment would not be that different from those in other direct engagements. They would, however, have to be sufficient to be able to identify areas / risks of non-compliance with the specified requirements. An understanding of the entity’s internal controls is part of the understanding of the entity and its environment and will enable teams to identify areas / risks of non-compliance and create a basis for designing and performing procedures. Professional judgment is needed to determine which controls are relevant in the engagement circumstances and how this understanding will be obtained.
Audit objective
Under CSAE 3531, the objective of a direct engagement to report on compliance with specified requirements is to obtain reasonable assurance (or limited assurance, as appropriate) about whether an entity complies with specified requirements at a point in time (for example, as at the year-end of the entity), or for a specified period of time (for example, the fiscal year of the entity). The audit objective should be expressed in terms of the conclusion the audit is expected to draw regarding the entity’s compliance with the specified requirements.
Criteria
Under CSAE 3531, criteria are benchmarks used to measure or evaluate the entity’s compliance with the specified requirements. CSAE 3001 defines criteria as the benchmarks used to measure or evaluate the underlying subject matter. As such, in a direct engagement to report on compliance with specified requirements, the criteria should not simply be a restatement of the requirements, but should define how the auditor will know whether the requirement is met. For example, if regulations specify that an entity must provide services in a timely manner, then the audit team would need to identify which services and what a timely manner means. The team could develop a criterion such as the following: Entity ABC has provided service ABC within a month of receiving a complete application. This example requires the audit team to interpret the requirements, since they were not defined.
If specified requirements require significant interpretation, CSAE 3531 requires that audit teams develop the interpretation with relevant parties: the user of the report (who, in some circumstances, may be a regulator) and the entity’s management. The audit team must also seek acknowledgement from management that the interpretation is suitable.
Written representations
An engagement conducted under CSAE 3531 requires additional written representations from the entity’s management from those required by CSAE 3001. In addition to the written representations required by CSAE 3001, the audit team shall request the following representations from the entity’s management:
(a) Acknowledging management’s responsibility to comply with the specified requirements;
(b) Acknowledging management’s responsibility for such internal control over compliance with the specified requirements as management determines is necessary;
(c) Stating whether management has performed an evaluation of the entity’s compliance with the specified requirements;
(d) When applicable, stating management’s responsibility for significant interpretation of the specified requirements and management’s acknowledgement that the interpretation is suitable;
(e) Stating that the criteria used in the engagement are suitable;
(f) Stating that management has disclosed any communications from legislative authorities or counterparties to agreements concerning possible non-compliance with the specified requirements, including communications received between the end of the period addressed in the written statement and the date of the practitioner’s report; and
(g) Stating that management has disclosed any known non-compliance with the specified requirements occurring during the period or subsequent to the period for which, or date as of which, the practitioner concludes.
Non-compliance
As soon as practicable, the audit team shall make the entity’s management aware of significant non-compliance that has come to the practitioner’s attention. For example, instances of non-compliance that may be indicative of unlawful acts or fraud should be brought to the entity’s attention. This means that this information would be shared with the entity even before a draft report on compliance is ready.
Reporting
The conclusion of a direct engagement to report on compliance with specified requirements shall express whether the entity complied with the specified requirements, in all significant respects.
Audit teams are encouraged to refer to the report example in CSAE 3531 to draft their report on compliance. A direct engagement to report on compliance with specified requirements needs to include elements that are in addition to those required under CSAE 3001. The report on compliance needs to include the identification or description of the specified requirements and significant interpretations, if any; a description of the entity management’s responsibility for the entity’s compliance with the specified requirements; a statement that the practitioner believes the evidence obtained is sufficient and appropriate to provide a basis for the practitioner’s opinion, and a statement that the practitioner does not provide a legal opinion of the entity’s compliance with the specified requirements.
Two examples of when CSAE 3531 could apply
Example 1—An engagement where the sole focus and objective would be to determine whether an entity provided services as quickly as the circumstances permit according to the requirement in regulations would be an example of a situation where a report on compliance could be considered. In this case, the intent would be to conclude on whether the entity complied with this specific requirement without looking at other issues.
Example 2—In 2005, the “follow the dollar” mandate was inserted into the Auditor General Act, allowing the OAG to audit recipients under a federal funding agreement (excluding other levels of government) that had received at least $100 million in funding over a five-year period. In 2006, however, amendments under the Federal Accountability Act extended the OAG’s mandate to recipients that had received $1 million or more in funding over a five-year period. This amendment gave the Auditor General the powers, at his discretion, to inquire into the use of federal grants, contributions, or loans, even when they are transferred outside government. Consequently, the OAG could decide or the government could ask the OAG to conduct such an engagement on recipients.
This engagement could be a direct engagement to report on compliance with specified requirements if the goal of the engagement was solely to provide assurance as to whether the recipient complied with the requirements set out in a funding agreement. For example, the government provides funds through transfer payment agreements to private companies or non-profit organizations (the recipients). Those funding agreements include requirements that recipients must respect in order to receive the funds. In a direct engagement to report on compliance with specified requirements, the audit team could audit whether a recipient did what it was supposed to do according to the funding agreement.