1505 Acquiring and Maintaining Knowledge of Business for Performance Audits

Aug-2021

The engagement leader responsible for a given entity or sector engages in KOB work continually through discussions with entity officials and review of documentation and media reports. KOB is also obtained while developing the Strategic Audit Plan (SAP) (see OAG Audit 1510 Selection of performance audit topics). Since the SAP is a long-term plan for audits of a sector or entity, the SAP needs to be re-evaluated each year to ensure that the right audits are planned. KOB work is required to either validate a strategic audit plan or identify new risks and areas for audit. If there is no SAP for a given sector or entity, KOB is the only source of this information.

The engagement leader is responsible for multiple entities. Therefore, he/she is responsible for acquiring, maintaining, sharing, and documenting current knowledge of these entities, including the broader risks that they face. The engagement leader shall acquire, maintain, share, and document detailed knowledge of specific aspects related to the entity(ies) under audit.

KOB serves a number of important functions at different times:

• supports objective and well-informed decision making on what to audit, including updates to risks identified in the Strategic Audit Plan, and any changes to budget envelope allocations (See section OAG Audit 1510 Selection of performance audit topics);
• makes the planning phase of an audit more focused and efficient;
• helps to identify instances where internal specialist support is required;
• puts audit findings into context when reporting;
• assists in the development of audit recommendations;
• helps audit teams prepare for departmental audit committee meetings; and
• helps audit teams prepare for Parliamentary committee hearings.

Planning and budgeting KOB work

The OAG has budgeted hours for KOB for each sector and for a number of entities (see resource managers for this information). This budget is to be used to plan and carry out KOB work. This work may be treated as a project: audit staff is assigned, internal specialists are consulted as required, and timelines, objectives, and deliverables are established.

Performing KOB work

KOB work should begin with a review of the SAP, a discussion with the relevant annual audit team, and a review of the annual audit file. In addition, one of the most important ways to acquire and maintain KOB is to identify and nurture a network of external contacts, both national and regional, who can provide different perspectives about issues and priorities. In addition to entity management, consultation with industry experts, and other specialists is key. These contacts can provide a wealth of information on the entity, sector, or subject area, and can also help in the selection of external advisors.

KOB work can also include the following, as necessary:

• review of legislation;
• review of Corporate strategic and business plans, risk assessments, meeting minutes;
• review of media reports;
• discussions with internal specialists;
• review of internal audit reports;
• meetings with chief audit executives;
• interviews with departmental audit committee members;
• review of entity tracking systems to assess the extent current and outstanding audit recommendations and entity commitments have been implemented;
• review of Hansards (debates), Parliamentary committee minutes and reports;
• review of other assurance engagements;
• review of management reports, sector publications, research studies;
• review of relevant audit reports of other jurisdictions (nationally and internationally);
• attendance at relevant conferences; and
• site visits.

On an annual basis, the audit team should inform the assistant auditor general and the Auditor General of any significant changes in risks.

Key entity documents to review could include the following:

The following are questions to consider when performing this work:

• What are the entity’s mission, mandate, authorities, key programs, priorities?
• What are its key objectives, business processes, and performance measures—inputs, outputs, outcomes?
• Who are the primary clients and stakeholders?
• How are programs governed, organized, and resourced?
• What are the critical IM-IT systems? What are the systems of internal control?
• What are the essential knowledge sources, centres of expertise, and key quantitative and qualitative data sources?
• What key challenges/risks/constraints does the organization face?

• How is “the business” defined or characterized? Why is it important to public policy?
• Who are key players and stakeholders? To what extent are they interdependent?
• What are the coordination mechanisms?

Teams should be sensitive to requesting too much information from entities and creating unnecessary burdens. Much of this information may be available from the financial audit team.

Auditors should be aware of “red flags” that could indicate risks, such as the following:

• a management tone at the top that is autocratic;
• lack of internal management reporting or performance measurement;
• dissatisfaction by major business users/stakeholders of key decision-making information required, resulting in the use of “black book” systems;
• recent major key systems failures or security breaches;
• changes in the organization, policies, authorities, or programs, such as
  • high management turnover or long-term vacancies;
  • significant increase in spending but a decline in performance outputs;
  • significant variance in revenue or payment streams;
  • programs or activities introduced or removed in a short period of time;
• systems or practices that have not changed in a long time despite changes in the environment;
• high employee grievance rates;
• service delivery delays or high error rates;
• lawsuits, contingent liabilities, settlements by the Crown;
• non-responsiveness to audits or resistance to being audited;
• budgets exceeded or under-spent by large amounts;
• authority/approval overrides or bypasses;
• lack of acknowledgement of risks by management.

Additional factors that auditors may consider when performing work to assess risks associated with an entity’s activities are described in section OAG Audit 4020  Risk Assessment.

Audit teams should look for opportunities to use analytical methods and techniques. Analytic methods may include the following:

Deliverables and documentation

KOB information should be documented so that it is not lost when audit staff retire or leave the OAG. This could be captured in the same file as work related to the SAP, with access granted to those who would benefit from the information. Key documents obtained from the entity or entities should also be kept in the file and made available within the OAG, so that entities are not asked for the same documents more than once.

Documentation of KOB work should cover

• list of documents reviewed and consultations/interviews
• results of research and any analysis done, including
  • significant change in authorities, controls, organization/management, resources, programs, systems
  • risk diagnosis—significant changes since the SAP
    • risks increased
    • risks decreased
    • new risks

• proposed changes to SAP or ongoing audits
  • new audit recommended
  • planned audit dropped, deferred, or significantly modified in scope or objective
  • changes to lines of enquiries in audits already in progress

Security of and external access to KOB information

Documents that are obtained by the OAG from entities may come with a security classification already assigned. This classification must be respected. KOB information should be labelled protected A, B, or C, depending on the level of harm such information might do to the OAG or an individual should it be disclosed. KOB information has the same status as information “created or obtained” during the course of an audit, and therefore would qualify for exemption in accordance with s.16.1(1)(a) of the Access to Information Act. It is important to note that the Privacy Act does not have a similar exemption provision. Should personal information be collected as KOB, it may be released to the individual concerned upon request. For more information and/or advice on this subject, please contact the OAG ATIP Coordinator.

If access is required to documents that may be subject to solicitor–client or other privileges, the team can use the letter template provided to audit teams for this purpose.