4010 Understanding the Subject Matter in Planning an Audit

Jul-2020

What CSAE 3001 means for understanding the subject matter in planning

Understanding the subject matter involves updating or obtaining sufficient information about the relevant entity(ies) and topic areas of the audit, including obtaining an understanding of internal control relevant to the audit. CSAE also requires some specific inquiries to be made by audit teams as part of this work (see the section below that describes these requirements in more detail).

Knowledge of the subject matter informs the audit team’s risk assessment, significance considerations, scoping decisions, and audit approach. In the case of performance audits, it may also inform the audit objective. (These topics are discussed in OAG Audit 4020 Risk assessment; OAG Audit 4025 Internal controls; OAG Audit 4041 Audit Objective; OAG Audit 4042 Audit scope and approach; OAG Audit 4043 Audit criteria; and OAG Audit 4044 Developing the audit strategy: audit logic matrix). Understanding the subject matter also helps the audit team to determine if the subject matter is appropriate—a pre-condition for continuing with the audit (OAG Audit 3011 Acceptance and continuance).

Understanding the subject matter also helps the audit team to determine if the subject matter is appropriate—a pre-condition for continuing with the audit (OAG Audit 3012 Preconditions for a direct engagement) and (OAG Audit 3011 Acceptance and continuance). If the audit team determines that the subject matter is not appropriate (i.e. the subject matter is not identifiable; cannot be consistently measured against appropriate criteria and that sufficient appropriate evidence cannot be obtained to support a reasonable assurance conclusion on it), then the audit team will either have to withdraw from the engagement OR express a qualified or a disclaimer of conclusion (OAG Audit 7040 Audit conclusion).

Understanding the subject matter

The term “underlying subject matter” is used in CSAE 3001 and is defined as the phenomenon that is measured or evaluated by applying criteria. In other words, “underlying subject matter” is the area being audited. The underlying subject matter in a performance audit may be the activity, process or program within an individual entity or one which spans multiple entities, or the performance audit may be for an entity overall. The underlying subject matter is measured directly against applicable criteria during a defined period or at a point in time.

For the purposes of this direct engagement manual, the term “subject matter” is used and refers to both the relevant entity(ies) and topic areas being audited, as relevant.

• In some cases the subject matter will be primarily a government entity. For example, in a special examination, the subject matter is considered to be the Crown corporation.

• In some performance audits, the subject matter may be primarily topic based and often involves more than one entity. For example an audit of a function or activity within and/or across government (e.g. human resource management). In these cases, the audit team should obtain an understanding of the topic area as well as how it operates in each organization selected for audit. When there may be multiple entities responsible for the underlying subject matter, obtaining sufficient understanding of the entities and their interrelationships enables the audit team to appropriately scope, plan and conduct the performance audit.

Factors to consider when obtaining and updating knowledge of subject matter. The audit team should obtain information about all the key features of the subject matter (audited entity(ies) and topics) and the environment relevant to that subject matter. Some factors for the audit team to consider when gathering information to understand the subject matter include

• nature of the subject matter (i.e. the governing authorities; form of organizations and objectives);
• accountability relationships;
• programs, operations, and activities;
• performance;
• resources;
• systems, controls, and practices;
• external environment;
• risks.

Not all these elements are relevant to every performance audit and the list is not necessarily complete. Many of these elements form the basis of the control environment which is considered as part of understanding internal control. This topic is discussed in Internal Controls (OAG Audit 4025).

Nature of the subject matter. The nature of subject matter includes three interrelated elements that teams consider:

• The governing authorities: these include such things as legislation; regulations, Order in Councils; Treasury Board decisions, policies, directives, etc.

• The organizations involved, their form and their legal structures: Governments carry out policies and deliver services through different forms of organization. Some common forms of organization include government departments, statutory or service agencies, special operating agencies, Crown corporations, and agents of Parliament. Different forms of organization are subject to different rules, policies, and requirements. For example, Crown corporations have broad financial powers and operational authority delegated to their management under legislation, and are more autonomous.

• The objectives and mandates related to subject matter and involved entities:  Different forms of organization have different objectives. Different program areas or functions within government also have different objectives.

Information about the nature of the entity may assist the audit team in understanding:

• the authority for the entity's programs, operations and activities;
• any specific financial, administrative and operational powers and responsibilities granted by governing authorities;
• the basis for its accountability relationships and performance goals; and
• significant external constraints on the entity's operations.

Accountability relationships. An understanding of the accountability relationships relevant to the subject matter permits the audit team to determine which entities (or parts of the entity(ies)) are responsible for which elements of performance related to the subject being audited and the resources the entities use to meet their objectives.

In federal departments and other non-corporate government organizations, ministers are charged with developing policy and making the major decisions assigned by law. An appointed senior public servant, such as a Deputy Minister, is primarily accountable to a Minister and is responsible for advising the Minister and for administration. Such senior public servants may have additional accountabilities to the Prime Minister, and to central bodies such as a Treasury Board, Public Service Commission, or Public Accounts Committee. Further, the powers and responsibilities of those senior public servants are usually assigned through governing authorities. Crown corporations in contrast are responsible to the government and to the legislature through a Minister. An appointed board of directors is charged with the overall direction of the business, activities, and other affairs of the corporation. The board of directors delegates to the chief executive officer and other senior management officials, the responsibility for administration. Crown corporations are often not subject to all of the governing authorities that apply to departments.

The audit team also identifies other relevant accountability relationships such as those within the relevant entities themselves (i.e. governance structure and organization); those between relevant entities, including subsidiaries; and those with other governments.

Programs, operations, and activities. The audit team analyzes operations undertaken by the relevant entity(ies) so as to clearly understand the subject matter. This understanding helps the audit team determine whether the audit entity(ies) are operating within its powers, how the entity(ies) achieve the objectives and performance goals related to the subject matter, and any risks that need to be managed in doing so.

Understanding the entity's significant programs, operations and activities include obtaining information about

• the intended outputs, such as goods or services;

• the outcomes and impacts of the programs, operations and activities, which may be positive or negative effects of a program, operation or activity, and they may be intentional or unintentional;

• the organizational structure, including identifying the divisions and branches, determining their responsibilities and degree of autonomy;

• the source, nature and amount of resources used in program delivery;

• the method of program delivery; and

• the pricing or fee structures.

Performance. The audit team needs knowledge of the relevant entity(ies)’s and/or overall government performance as it relates to the subject matter to understand such matters as the relevance of the activities to clients and stakeholders; trade-offs among conflicting objectives; and information available and used to manage activities. Performance involves factors such as: outputs, outcomes, and impacts relative to objectives, goals, and inputs; quality; level of service; and stakeholder satisfaction (e.g. its beneficiaries or customers, resource providers, competitors, policy centres and special interest groups). Audit teams consider actual performance as it relates to the subject matter, but also to the suitability of the performance goals (i.e. whether those goals are consistent with the governing authorities). Information about the entity’s performance may help the audit team identify areas of the entity that need to be examined, as well as those that may not warrant as much attention. For example, areas where performance goals are being met may not warrant as much attention as those areas that are clearly not meeting performance goals, taking into account the audit team’s assessment of importance and risk. Suitable performance goals may also be useful sources of criteria for the audit.

Resources. Organizations use physical, financial, and human resources to achieve their objectives and performance goals.

• Physical resources: The audit team obtains information about the source, nature, location, condition, and value of the audit entity’s significant physical resources (such as land, buildings, equipment, and infrastructure) as they relate to the subject matter. This information could also include information about the acquisition, disposal, and lifecycle management processes.

• Financial resources: Knowledge of the audit entity's financial resources (nature, source, and amount of the audit entity’s revenue and expenditures, and the source, amount, and location of its financial assets and liabilities) helps the audit team understand the magnitude of operations.

• Natural resources: The audit team obtains information about the renewable and non-renewable resources.

• Human resources: The audit team obtains information about human resources including information about employees (e.g. their number, qualifications and categories, skills and responsibilities) and the work environment as it relates to the subject matter (e.g. processes in place for human resource planning, staff evaluation, and training; the nature and condition of the workplace; and the relationship of management with other employees and with unions.)

Information about the entity’s resources may assist the audit team in understanding:

• how resources relate to the entity’s objectives;

• the allocation of resources to programs, operations and activities;

• how government priorities inform the allocation of resources to the entity and the relative significance of specific programs, operations and activities;

• the relationship between resources and the organizational structure; and

• the relationship between resources and entity performance.

Systems, practices, and controls. Management establishes systems, practices, and controls to plan, control, monitor, and report on its achievement of objectives and activities for carrying out its mandate. The audit team needs knowledge of the systems, practices, and controls related to the subject matter in order to understand their suitability for the programs, operations, and activities and for understanding the risks to meeting the associated objectives. Understanding systems, practices, and controls also includes gathering information on the existence, mandate, and work of an internal audit function as it relates to the subject matter. Understanding internal controls is discussed in OAG Audit 4025 Internal controls.

The systems, processes and controls that the audit team may consider include:

• The systems and controls in place for controlling, monitoring and reporting on significant programs, operations and activities;

• The systems and controls in place for planning, reporting on, and safeguarding and controlling the entity's physical, financial, natural and human resources;

• The systems and controls in place to facilitate the entity's compliance with governing authorities; and

• The existence, mandate and work of an internal audit function.

Information about the entity’s systems, processes and controls may assist the audit team in understanding:

• Risks to programs, operations and activities that the entity has identified;
• Elements of performance that management is assessing;
• The entity’s performance criteria;
• The methods of data collection and analysis;
• How the entity uses performance information; and
• The nature and frequency of reporting.

External environment. The external environment includes factors over which management has limited control, such as government policies, client demand, availability of resources, competitors, partners, and special interest groups. The external environment is a source of risk because changes in that environment may significantly affect the objectives; accountability relationships; performance; programs, operations, and activities; resources; and systems, practices, and controls relevant to the subject matter. Elements of the external environment include factors such as the service or business environment; political factors such as government priorities; social, economic, financial, environmental, legal or technological factors; as well as clients, stakeholders, and partners related to the subject matter.

The audit team may obtain information about constraints imposed by governing bodies or constituents (e.g., beneficiaries, customers, resource providers, competitors, special interest groups), such as:

• budget reductions;
• budget amendments;
• cost-recovery requirements;
• revenue targets;
• changes to legislation, contracts or agreements;
• operating or availability constraints;
• safety, service-level or pricing constraints; and
• changes in reporting relationships.

Risks. Risks may be inherent to the nature of the topic and/or entities being audited. Risks may also exist because systems, controls, and practices are inadequate or inappropriate to control inherent risks of the subject matter (control risk). The audit team should understand the risks faced by the relevant entity(ies) in relation to the subject matter. A starting point for this information is often determining how the relevant entity(ies) identify, assess, monitor, and control its risks. This topic is discussed further in OAG Audit 4020 Risk assessment.

Starting point for gathering information

There are various sources of information an audit team can use to gather the necessary information and to document its understanding of the subject matter and its environment. Audit teams start by reviewing key documents (e.g., legislation, Hansard, strategic plans, business plans, meeting minutes, risk assessments, internal audit reports, management reports, sector publications, research studies, other assurance engagements, media reports) as well as consulting knowledgeable individuals within the relevant entity(ies), and within the OAG. Within the OAG, teams consult the annual audit teams, entity teams, as well as teams that have conducted previous audits related to the subject matter. Teams also consult with internal specialists where relevant to discuss difficult or contentious matters (see OAG Audit 3081 Consultations). Teams identify key stakeholders and clients and, if relevant, also gather information from their perspective that is relevant to the subject matter.

Some specific requirements related to understanding the subject matter

As part of obtaining sufficient understanding of the subject matter, the audit team is required to undertake some specific work. The audit team assesses the impact of the information gathered as part of this work on the audit approach. In particular, specific work related to understanding the subject matter is required in the following areas:

• confirmation of engagement leader competency;
• three specific inquiries;
• internal control;
• for special examinations, affiliated entities.

Confirmation of engagement leader competency: Audit standards require that the engagement leader have sufficient competence in the underlying subject matter and its measurement to accept responsibility for the conclusion of the engagement. Some audits may require specialized knowledge beyond those ordinarily possessed by a particular individual or may require knowledge in an area that is relatively new to the engagement leader. In these cases, the engagement leader will need to ensure mitigating strategies are in place to manage the risk and enable him or her to form a conclusion on the subject matter. Mitigating strategies will often include using an expert. Using an expert is discussed in section OAG Audit 2070. In practice, this requirement is met by assessing and mitigating engagement risk (which includes an assessment of both the engagement leader and team competency). Engagement risk is discussed in OAG Audit 4020 Risk assessment.

Three specific inquiries: As part of obtaining sufficient understanding of the subject matter, CSAE 3001 requires the audit team to make some specific inquiries and to use this information to inform its planning decisions. These inquiries should be made with the appropriate senior officials within the relevant entity(ies) such as the Chief Audit Executive, senior managers, board of directors, audit committee, and so forth. These inquiries can be made through interviews during the planning phase and documented by the team through meeting minutes. Formal or written responses are not required.

1. Intentional deviation or non-compliance: The audit team is required to inquire about any intentional deviations or non-compliance affecting the subject matter. In other words: Do senior entity officials have knowledge of any instances (actual, suspected, or alleged) where the underlying subject matter does not intentionally conform with the applicable criteria, including any intentional non-compliance with laws and regulations affecting the subject matter of the audit? The audit team should start its inquiry by discussing this matter with any relevant OAG financial audit teams. Subsequent discussion should be held with the Chief Audit Executive and/or risk officers and senior managers of the responsible area. The audit team will assess the impact of these discussions on the audit approach.  If an intention deviation or non-compliance affecting the subject matter is identified, the audit team may need to adjust its audit design to respond to this risk and/or adjust its mitigating strategies to respond to an increase engagement risk.  In such instances, the audit team should consult with the relevant internal specialist(s) (i.e. wrong doing and fraud; legal) as needed. Refer to OAG Audit 3081 for more information on consultations.

2. Internal audit: The audit team is required to inquire about relevant internal audit work and to determine the impact on the audit design. In other words: Is there an internal audit function and, if so, what are its activities and main findings with respect to the underlying subject matter? The audit team then determines how this information affects the audit approach. For example, the team may use this information to help identify and assess subject matter risks (see OAG Audit 4020 Risk assessment), to exclude areas from the scope of the audit if the team feels the issues have been adequately addressed by internal audit, or to include these areas in the scope of the audit for further work. If included in the audit, the team may decide to rely on the work of internal audit, in which case further work would be required by the team to ensure its adequacy as evidence. Relying on the work of internal audit is addressed in OAG Audit 4030. This topic is also covered in OAG Audit 4042 Audit scope and approach.

3. Entity(ies)’s use of experts: The audit team is required to inquire about the responsible party’s use of an expert  whose work is relevant  to the subject matter and then to determine whether this work significantly affects the underlying subject matter. A responsible party’s expert is usually engaged when the audited entity does not possess the needed skills and experience on the subject. In other words: Have the entity(ies) subject to the audit used the work of any expert individual or organization not normally part of its regular operations related to the subject matter of the audit?  Determining whether there is a relevant entity expert and whether this work significantly affects the underlying subject matter and requires professional judgment. For example, in an audit of Canada Pension Plan disability, the use of doctors by the responsible entity would likely not be considered “entity experts” because the work being performed by the doctors in assessing applicant’s eligibility is a core function of the subject matter and part of the normal process of managing the program. However if the entity had hired a time and motion expert to evaluate the processing and input speed and efficiency for inputting and processing applications, this individual would be an entity expert whose work could significantly affect the underlying subject matter and could have important implications for the engagement. If relevant to the audit, the work of that expert, could, for example, help the team identify and assess subject matter risks (see OAG Audit 4020 Risk assessment), exclude an area from the audit that the team feels have been adequately managed by the entity, or include areas in the scope if those areas are deemed higher risk. Audit teams may or may not decide to use the work of the expert; each option may have different implications that should be assessed by the audit team. Using the work of an audited entity’s expert is discussed further in OAG Audit 2070 Use of experts.

Internal control. As part of understanding the subject matter, audit standards require the audit team to obtain an understanding of internal control relevant to the audit. This topic is discussed in OAG Audit 4025 Internal controls.

For special examinations, affiliated entities. Audit teams for special examinations are required by the FAA to understand the extent of affiliated entities of the Crown corporation in order to determine if the affiliated entities should be included within the scope of the audit. Under part X of the FAA, section 83 defines when a corporation is a subsidiary of another.

If an affiliated entity is controlled and accountable to the parent Crown corporation and is significant to the operations of the parent Crown corporation, it is expected that there would be systems and practices in place in the parent Crown corporation to manage the affiliated entity, thus supporting the parent’s ability to fulfill its mandate and meet its statutory control objectives. In this context, when the audit team develops its understanding of the Crown corporation to be examined and its environment to establish the scope of the special examination, it also includes an understanding of all less than wholly-owned (LTWO) affiliated entities.

Documentation of LTWO-affiliated entities will help demonstrate that the special examination audit team collectively possesses adequate knowledge of the subject matter. Special examination audit teams should consult the annual audit files for the Crown corporation subject to examination to ascertain the most up-to-date information concerning the extent of ownership of LTWO-affiliated entities.

Determining the extent of work needed to obtain sufficient understanding of the subject matter

The amount of information required for understanding the subject matter and the audit team’s approach to obtaining this information will differ according to the size and complexity of the subject matter. The extent of work required also depends on the depth of existing knowledge of the audit team members. Professional judgment (OAG Audit 1042) will serve to determine when the audit team has done enough to obtain and document the necessary understanding. Professional skepticism (OAG Audit 1041) helps auditors critically assess the information gathered as part of understanding the subject matter.

If the audit team members have little or no previous experience or knowledge of business, sufficient work should be done to establish an appropriate base for the current audit. If the audit team members have previous experience with the subject matter (either entities and/or topic), the team should assess the relevance of that experience and then plan to update or enhance its knowledge—perhaps by focusing on significant changes. Some important considerations in planning the extent of work required include

• identifying areas where more or in-depth knowledge is required;

• assessing the need for any specialized knowledge or competence (including advice from internal specialists or hiring an external expert);

• balancing time and costs in relation to usefulness in planning the audit; and

• focusing on what is relevant and use professional judgment—the audit team needs to understand the concepts of significance and risk in the context of planning because these concepts will enable the audit team to determine the information required and to assess the information obtained.

It is also important to note that smaller entities may have less sophisticated systems and, as a result, there may be less control documentation available for examination. Thus, the team may be required to gain a better understanding of the informal processes in place through meetings, observation, and walkthroughs and then create its own corresponding documentation.

Planning a performance audit

Planning a performance audit is an iterative process. The following diagram illustrates one possible sequence of steps that may occur in the planning process.

Next steps

The audit team uses its understanding of the subject matter (including internal controls—see OAG Audit 4025) to inform its risk assessment (see OAG Audit 4020), to make key scoping decisions including considering significance, and to finalize its audit design (see OAG Audit 4042 Audit scope and approach). This work informs the development of the audit logic matrix (ALM) (see OAG Audit 4044).

The audit team updates its understanding of the subject matter and refines the ALM throughout the planning phase. Remember that understanding the subject matter is an iterative process that is interrelated with risk assessments, significance, and scoping decisions.

After gaining a good understanding of the subject matter, the engagement leader determines whether the audit team has sufficient subject matter knowledge to conduct the audit, and whether it needs to engage consultants with specific subject matter expertise. If the engagement leader decides to hire a consultant, he or she must follow OAG policies for procurement and contracting and follow the guidance for using experts discussed in OAG Audit 2070.