COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.
1505 Acquiring and Maintaining Knowledge of Business for Performance Audits
Knowledge of business (KOB) refers to an understanding of how a federal government entity or key entities in a sector operate, their corporate culture, business challenges, and external environment. KOB is important for planning performance audits that are risk based, relevant and timely.
CSAE 3001 Requirements
35. The engagement partner shall: [...]
(c) Have sufficient competence in the underlying subject matter and its measurement or evaluation to accept responsibility for the assurance conclusion. (Ref: Para. A66-A67)
CSAE 3001 Application Material
A66. A practitioner may be requested to perform assurance engagements with respect to a wide range of underlying subject matter. Some may require specialized skills and knowledge beyond those ordinarily possessed by a particular individual.
The audit team shall acquire, maintain, share and document current knowledge of entities in their respective portfolio, including the risks facing these entities. [Nov-2014]
The engagement leader responsible for a given entity or sector engages in KOB work continually through discussions with entity officials and review of documentation and media reports. KOB is also obtained while developing the Strategic Audit Plan (SAP) (see OAG Audit 1510 Selection of performance audit topics). Since the SAP is a long-term plan for audits of a sector or entity, the SAP needs to be re-evaluated each year to ensure that the right audits are planned. KOB work is required to either validate a strategic audit plan or identify new risks and areas for audit. If there is no SAP for a given sector or entity, KOB is the only source of this information.
The engagement leader is responsible for multiple entities. Therefore, he/she is responsible for acquiring, maintaining, sharing, and documenting current knowledge of these entities, including the broader risks that they face. The engagement leader shall acquire, maintain, share, and document detailed knowledge of specific aspects related to the entity(ies) under audit.
KOB serves a number of important functions at different times:
- supports objective and well-informed decision making on what to audit, including updates to risks identified in the Strategic Audit Plan, and any changes to budget envelope allocations (See section OAG Audit 1510 Selection of performance audit topics);
- makes the planning phase of an audit more focused and efficient;
- helps to identify instances where internal specialist support is required;
- puts audit findings into context when reporting;
- assists in the development of audit recommendations;
- helps audit teams prepare for departmental audit committee meetings; and
- helps audit teams prepare for Parliamentary committee hearings.
Planning and budgeting KOB work
The OAG has budgeted hours for KOB for each sector and for a number of entities (see resource managers for this information). This budget is to be used to plan and carry out KOB work. This work may be treated as a project: audit staff is assigned, internal specialists are consulted as required, and timelines, objectives, and deliverables are established.
Performing KOB work
KOB work should begin with a review of the SAP, a discussion with the relevant annual audit team, and a review of the annual audit file. In addition, one of the most important ways to acquire and maintain KOB is to identify and nurture a network of external contacts, both national and regional, who can provide different perspectives about issues and priorities. In addition to entity management, consultation with industry experts, and other specialists is key. These contacts can provide a wealth of information on the entity, sector, or subject area, and can also help in the selection of external advisors.
KOB work can also include the following, as necessary:
- review of legislation;
- review of Corporate strategic and business plans, risk assessments, meeting minutes;
- review of media reports;
- discussions with internal specialists;
- review of internal audit reports;
- meetings with chief audit executives;
- interviews with departmental audit committee members;
- review of entity tracking systems to assess the extent current and outstanding audit recommendations and entity commitments have been implemented;
- review of Hansards (debates), Parliamentary committee minutes and reports;
- review of other assurance engagements;
- review of management reports, sector publications, research studies;
- review of relevant audit reports of other jurisdictions (nationally and internationally);
- attendance at relevant conferences; and
- site visits.
On an annual basis, the audit team should inform the assistant auditor general and the Auditor General of any significant changes in risks.
Key entity documents to review could include the following:
|Documents internal to the organization:
|Information available on the Internet:
|Corporate strategic and business plans; capital/IM-IT investment plans; operating budgets; quarterly or other interim financial reporting
Departmental Plans; Departmental Results Reports ; enterprise and IM-IT strategic and business plans; IM-IT investment plans
|Performance measurement and reporting strategies/ frameworks
|Management Accountability Framework (MAF) Reports from Treasury Board of Canada Secretariat
|Minutes of senior management committees
|Recent news articles; industry journals
|Briefing notes to the Minister or Deputy Minister
Hansards (House of Commons debates)
|Integrated Risk Management Framework
|Public Accounts—detailed disclosures (e.g. overpayments)
|Briefing binders and minutes from Departmental Audit Committee
|Statutes/authorities/regulations related to the entity/sector
|Risk assessments/corporate risk profile
|Monthly reports to the executive committee
|Senate/House of Commons Committee Reports
|Business process mapping documentation
|Legal cases in relevant program or subject areas
|Studies or other internal reviews
|Research/academic studies and reports
|Memoranda to Cabinet
|Internal Audit reports
Other Assurance Engagements
|Treasury Board Submissions
|Internal Audit's audit monitoring records and progress in implementing management action plans developed in response to recommendations made in external audit reports (including OAG) and internal audit reports
The following are questions to consider when performing this work:
For an entity (or an entity being considered as part of a sector):
- What are the entity’s mission, mandate, authorities, key programs, priorities?
- What are its key objectives, business processes, and performance measures—inputs, outputs, outcomes?
- Who are the primary clients and stakeholders?
- How are programs governed, organized, and resourced?
- What are the critical IM-IT systems? What are the systems of internal control?
- What are the essential knowledge sources, centres of expertise, and key quantitative and qualitative data sources?
- What key challenges/risks/constraints does the organization face?
For a sector:
- How is “the business” defined or characterized? Why is it important to public policy?
- Who are key players and stakeholders? To what extent are they interdependent?
- What are the coordination mechanisms?
Teams should be sensitive to requesting too much information from entities and creating unnecessary burdens. Much of this information may be available from the financial audit team.
Auditors should be aware of “red flags” that could indicate risks, such as the following:
- a management tone at the top that is autocratic;
- lack of internal management reporting or performance measurement;
- dissatisfaction by major business users/stakeholders of key decision-making information required, resulting in the use of “black book” systems;
- recent major key systems failures or security breaches;
- changes in the organization, policies, authorities, or programs, such as
- high management turnover or long-term vacancies;
- significant increase in spending but a decline in performance outputs;
- significant variance in revenue or payment streams;
- programs or activities introduced or removed in a short period of time;
- systems or practices that have not changed in a long time despite changes in the environment;
- high employee grievance rates;
- service delivery delays or high error rates;
- lawsuits, contingent liabilities, settlements by the Crown;
- non-responsiveness to audits or resistance to being audited;
- budgets exceeded or under-spent by large amounts;
- authority/approval overrides or bypasses;
- lack of acknowledgement of risks by management.
Additional factors that auditors may consider when performing work to assess risks associated with an entity’s activities are described in section OAG Audit 4020 Risk Assessment.
Audit teams should look for opportunities to use analytical methods and techniques. Analytic methods may include the following:
|Source of information
|Financial statements—internal management reports.
|Budget variance analysis; expenditure/revenue trend analysis
|Interim/quarterly financial statements or reports to executive committee
Anomalous expenses trend
Material changes in financial information
|Public Accounts—Plate I-11 and I-12 (contingent liabilities) or Plate III-10 (payment of claims against the Crown) prepared quarterly
|New claims against the organization
|Public Accounts volume III—details
|Over and under payment data
|Information on business processes
|Business process mapping
|Reports to executive committee
|Significant changes to performance indicators
|Treasury Board of Canada Secretariat submissions; memorandum to Cabinet
|Changes to the program authority (new programs, changes to how existing programs are delivered)
|Reasons for sudden interest by parliamentary committees
|Systemic reasons for litigation
Deliverables and documentation
KOB information should be documented so that it is not lost when audit staff retire or leave the OAG. This could be captured in the same file as work related to the SAP, with access granted to those who would benefit from the information. Key documents obtained from the entity or entities should also be kept in the file and made available within the OAG, so that entities are not asked for the same documents more than once.
Documentation of KOB work should cover
- list of documents reviewed and consultations/interviews
- results of research and any analysis done, including
- significant change in authorities, controls, organization/management, resources, programs, systems
- risk diagnosis—significant changes since the SAP
- risks increased
- risks decreased
- new risks
- proposed changes to SAP or ongoing audits
- new audit recommended
- planned audit dropped, deferred, or significantly modified in scope or objective
- changes to lines of enquiries in audits already in progress
Security of and external access to KOB information
Documents that are obtained by the OAG from entities may come with a security classification already assigned. This classification must be respected. KOB information should be labelled protected A, B, or C, depending on the level of harm such information might do to the OAG or an individual should it be disclosed. KOB information has the same status as information “created or obtained” during the course of an audit, and therefore would qualify for exemption in accordance with s.16.1(1)(a) of the Access to Information Act. It is important to note that the Privacy Act does not have a similar exemption provision. Should personal information be collected as KOB, it may be released to the individual concerned upon request. For more information and/or advice on this subject, please contact the OAG ATIP Coordinator.
If access is required to documents that may be subject to solicitor–client or other privileges, the team can use the letter template provided to audit teams for this purpose.