COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.
2080 Contracted out audits
Dec-2021
Overview
This section of the manual applies when the OAG engages 1 or more service providers (also called contractors) to fulfill all, or substantially all, engagement team positions to complete a financial audit, performance audit or special examination. These audits are called “contracted out” audits. In these cases, responsibility for audit quality and accountability for the performance of the engagement in accordance with applicable professional standards, legal and regulatory requirements, and the conclusions reached remains with an OAG engagement leader. The involvement of the contractor’s partner (or equivalent) in the contracted-out audit does not lessen the engagement leader’s responsibilities.
This section of the manual does not apply to joint audits where the responsibility and accountability for the overall opinion is shared with the appointed joint auditor. For information on joint audits, see section 3067 Working Arrangement with Joint Auditor.
CPA Canada Assurance Standards
| Office | Annual Audit | Performance Audit, Special Examination, and Other Assurance Engagements |
|---|---|---|
|
CAS 220.8 The engagement partner shall take responsibility for the overall quality on each audit engagement to which that partner is assigned. CAS 220.C11 The engagement partner shall form a conclusion on compliance with independence requirements that apply to the audit engagement. In doing so, the engagement partner shall: (Ref: Para. A5) (a) Obtain relevant information from the firm and, where applicable, network firms, to identify and evaluate circumstances and relationships that create threats to independence [In ISA 220, this paragraph states: Obtain relevant information from the firm and, where applicable, network firms, to identify and evaluate threats to independence]; (b) Evaluate information on identified breaches, if any, of the firm's independence policies and procedures to determine whether they create a threat to independence for the audit engagement; and (c) Take appropriate action to eliminate such threats or reduce them to an acceptable level by applying safeguards, or, if considered appropriate, to withdraw from the audit engagement, where withdrawal is possible under applicable law or regulation. CAS 220. 14 The engagement partner shall be satisfied that the engagement team, and any auditor's experts who are not part of the engagement team, collectively have the appropriate competence and capabilities to: (a) Perform the audit engagement in accordance with professional standards and applicable legal and regulatory requirements; and (b) Enable an auditor's report that is appropriate in the circumstances to be issued The engagement partner shall take responsibility for reviews being performed in accordance with the firm's review policies and procedures. CAS 220.17 On or before the date of the auditor's report, the engagement partner shall, through a review of the audit documentation and discussion with the engagement team, be satisfied that sufficient appropriate audit evidence has been obtained to support the conclusions reached and for the auditor's report to be issued. 18. The engagement partner shall: (a) Take responsibility for the engagement team undertaking appropriate consultation on difficult or contentious matters; (b) Be satisfied that members of the engagement team have undertaken appropriate consultation during the course of the engagement, both within the engagement team and between the engagement team and others at the appropriate level within or outside the firm; (c) Be satisfied that the nature and scope of, and conclusions resulting from, such consultations are agreed with the party consulted; and (d) Determine that conclusions resulting from such consultations have been implemented. 24. The auditor shall include in the audit documentation: (a) Issues identified with respect to compliance with relevant ethical requirements and how they were resolved. (b) Conclusions on compliance with independence requirements that apply to the audit engagement, and any relevant discussions with the firm that support these conclusions. (c) Conclusions reached regarding the acceptance and continuance of client relationships and audit engagements. (d) The nature and scope of, and conclusions resulting from, consultations undertaken during the course of the audit engagement. |
Responsibilities of the Engagement Partner CSAE 3001.37 The engagement partner shall take responsibility for the overall quality on the engagement. Assignment of the Team CSAE 3001.36 The engagement partner shall: (Ref: Para. A68) (a) Be satisfied that those persons who are to perform the engagement collectively have the appropriate competence and capabilities to: (i) Perform the engagement in accordance with relevant standards and applicable legal and regulatory requirements; and (ii) Enable an assurance report that is appropriate in the circumstances to be issued. CSAE 3001.57 When the work of a practitioner’s expert is to be used, the practitioner shall also: (Ref: Para. A121-A125) (a) Evaluate whether the practitioner’s expert has the necessary competence, capabilities and objectivity for the practitioner’s purposes. In the case of a practitioner’s external expert, the evaluation of objectivity shall include inquiry regarding interests and relationships that may create a threat to that expert’s objectivity; (Ref: Para. A126-A129) Independence CSAE 3001.24 The practitioner shall accept or continue a direct engagement only when: (Ref: Para. A31-A34) (a) The practitioner has no reason to believe that relevant ethical requirements, including independence, will not be satisfied; Reviews CSAE 3001.37 The engagement partner shall take responsibility for the overall quality on the engagement. This includes responsibility for: (c) Reviews being performed in accordance with the firm’s review policies and procedures, and reviewing the engagement documentation on or before the date of the assurance report; (Ref: Para. A73) CSAE 3001.A73 Under CSQC 1, the firm’s review responsibility policies and procedures are determined on the basis that the work of less experienced team members is reviewed by more experienced team members. |
OAG Policy
All contracted out audits shall be assigned an engagement leader who is an employee of the OAG. [Dec-2021]
The engagement leader shall ensure that the contracted-out audit is carried out in compliance with OAG audit policies, professional standards, applicable legal and regulatory requirements, and the OAG’s system of quality control. [Dec-2021]
Audit documentation prepared by contractors is the property of the OAG and shall be retained in accordance with OAG Audit 1191 Retention policies and procedures. [Dec-2021]
OAG Guidance
Engagement Leader responsibilities
When contracting out an audit, the OAG is engaging a contractor to perform audits on its behalf, thus discharging some of the responsibilities involved in conducting the audit engagement. The decision to contract out (including what audits, to which supplier or firm) falls outside the scope of this guidance. Having made the decision to hire a contractor for an audit engagement, the engagement leader is not abdicating any of his or her responsibilities for the audit. All the requirements in the applicable standards and OAG audit policies remain and are to be complied with. Even in a situation where a contractor’s partner (or equivalent) is involved, the engagement leader retains the same accountabilities as if the OAG had staffed the audit with OAG staff.
Contracting
Tenders and contracts for contracted out audits as well as the engagement leader’s responsibilities and involvement in the procurement process are subject to the OAG’s specific procurement processes and procedures and fall outside the scope of this guidance.
The timing of engaging in consultation with procurement (who will then involve legal services if necessary) is important, as the need to consider how to structure the procurement and related contract should be evaluated in advance of engaging with a potential contractor.
Further, of particular importance during the procurement process is the verification of the contractor’s competence and capacity as well as provisions to resolve unanticipated changes in the staff assigned to the engagement.
Engagement Performance
Before the work begins, the engagement leader:
- ensures that employees of the contractor assigned to the audit engagement, as well as the OAG audit team members clearly understand the lines of communication and how any problems or other matters are to be raised and addressed
- aligns with the contractor on engagement objectives, priorities, timeline; discuss project plan and key milestones and deliverables
The engagement leader retains the responsibilities for the overall quality and oversight of the contracted-out audit engagement. As part of these responsibilities, the engagement leader remains alert for evidence of non-compliance with relevant ethical and independence requirements by audit team members, including those contracted out. In regards to consultations, the engagement leader ensures these are undertaken when needed and acts as a liaison between the contractor and the OAG. Consultations may include those with Legal Services on, for example, (a) cabinet confidences and secret documents; (b) personal information or confidential business information; and (c) solicitor-client privileged information provided by entities’ counsel or by the Office Legal Services. The engagement leader should be aware of the OAG’s position not to grant contractors access to cabinet confidences and, as such, works with the Legal Services to put in place an approach whereby the contractor would have access to legal advice (both entity and the OAG) in such a way as to minimize the risk of waiving solicitor client privilege.
The engagement leader reviews critical areas of judgement, especially those relating to difficult or contentious matters identified during the course of the engagement, significant risks and other areas the considered important and discusses significant matters with the quality reviewer, if the one is appointed.
The engagement leader ensures the contractor’s work provides sufficient appropriate audit evidence to support the audit findings and conclusions before releasing the audit report. The contractor’s engagement partner (or equivalent) may also provide written sign off on the audit, if such was agreed to in the contracting-out arrangement.
Documentation
In regards to the audit documentation, the level of involvement of the engagement leader in the review (and documentation of this review) should be sufficient as to satisfy the quality control procedures. In this sense, the engagement leader ensures that appropriate audit documentation is maintained to provide evidence of the achievement of the practitioner’s objectives and that the engagement was performed in accordance with the OAG audit policies, professional standards and relevant legal and regulatory requirements. Appropriate audit documentation is sufficient to determine the nature, timing and extend of the procedures performed, and the results of the procedures performed and the audit evidence obtained. It reflects the work performed and support the conclusions reached. The engagement leader also ensures that the audit documentation, including contractor’s files, are complete and ready for finalisation in accordance with the provisions of this audit manual.
In some instances, the contractor might want to use their own methodology and audit software. These instances should be avoided, as documenting the audit file can pose some challenges. Under exceptional circumstances where avoidance is not possible, the engagement leader should ensure, before the work begins, that there are ways to retrieve the audit documentation from the contractor. The OAG is ultimately the owner of the audit documentation and should therefore have a complete readable copy of the audit file accessible at any time for consultation, internal review or inspection. The engagement leader is responsible for dealing with the issue of access to audit files and for ensuring that appropriate security practices are adhered to by the contractor.