COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.
4025 Internal Controls
Canadian Standards on Assurance Engagements (CSAE) 3001 requires auditors to obtain—at the planning stage—an understanding of risks and internal control relevant to the audit. This section discusses the definition of internal control and the related work the audit team is required to undertake at the planning stage to obtain an understanding of internal control. Assessing risk at the planning stage is addressed under section Risk assessment (OAG Audit 4020).
CSAE 3001 Requirements
51R. The practitioner shall obtain an understanding of the underlying subject matter and other engagement circumstances sufficient to:
(a) Enable the practitioner to identify and assess the risks of significant deviation; and
(b) Thereby, provide a basis for designing and performing procedures to respond to the assessed risks and to obtain reasonable assurance to support the practitioner’s conclusion. (Ref: Para. A99-A103, A105-A109)
52R. In obtaining an understanding of the underlying subject matter and other engagement circumstances under paragraph 51R, the practitioner shall obtain an understanding of internal control relevant to the engagement. This includes evaluating the design of those controls pertinent to the objective of the engagement and, if relevant, determining whether they have been implemented by performing procedures in addition to inquiry of the personnel responsible for the underlying subject matter. (Ref: Para. A105-A108)
53R. Based on the practitioner’s understanding (see paragraph 51R) the practitioner shall: (Ref: Para. A110-A114)
(a) Identify and assess the risks of significant deviation, and
(b) Design and perform procedures to respond to the assessed risks and to obtain reasonable assurance to support the practitioner’s conclusion. In addition to any other procedures on the underlying subject matter that are appropriate in the engagement circumstances, the practitioner’s procedures shall include obtaining sufficient appropriate evidence as to the operating effectiveness of relevant controls over the underlying subject matter when:
(i) The practitioner intends to rely on the operating effectiveness of those controls in determining the nature, timing and extent of other procedures, or
(ii) Procedures other than testing of controls cannot alone provide sufficient appropriate evidence.
CSAE 3001 Application Material
A105. In a reasonable assurance engagement, understanding internal control relevant to the underlying subject matter assists the practitioner in identifying the types of deviations and factors that affect the risks of significant deviation. Professional judgment is needed to determine which controls are relevant in the engagement circumstances.
A106. When the objective of a reasonable assurance engagement is to assess the design or implementation of controls over a process (for example, a process for dealing with patients in a hospital emergency room), the practitioner is required, during the initial planning phase, to identify the internal controls to the extent necessary to inform the engagement scope and the risk assessment. The practitioner is not required to evaluate the design or determine the implementation of the controls during the initial planning phase. This work would be performed later in the engagement since internal controls form the underlying subject matter for this engagement.
A107. When the objective of a reasonable assurance engagement is to conclude on a specific outcome of a process, controls may not be relevant to that engagement. For example, an assurance engagement may be designed to reach a conclusion regarding whether the time taken to process specific items (for example, applications to receive a service) over a specified period of time exceeds what is permitted under stated policies. The practitioner might simply examine all the items processed during the specified period and conclude on whether there was compliance with the stated policies.
A108. When controls are pertinent to the objective of a reasonable assurance engagement, the practitioner evaluates the design of internal controls by documenting the key controls, and identifying deficiencies such as poorly designed or missing controls, if any. To determine if the controls have been implemented, the practitioner often may perform walk-throughs, or observe the control being performed by, for example, the responsible party’s personnel.
As part of understanding the subject matter, the audit team shall obtain an understanding of internal control relevant to the audit. [Nov-2015]
Internal control: The process designed, implemented and maintained by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of an entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. The term “controls” refers to any aspects of one or more of the components of internal control.
Controls (or internal controls) are the policies and procedures that are designed, put in place, and operated to mitigate the risks that threaten achieving the entity’s objectives. Together internal controls form the system of internal control for an entity.
Design of a control is the way the control is supposed to work to provide reasonable assurance to mitigate risks to the achievement of objectives, as contrasted with how it actually works, as described by policy or procedural documentation.
Implementation of a control is the functioning of the control in one instance, which means that the control has been put in place at one point in time—it is present. Implementation is often considered along with design and is distinct from the operation of the control.
Operation of a control is its functioning over time. In other words, a control is operating it if continues to perform as expected over time. (i.e., sustained effective performance or functioning)
What CSAE 3001 Means for Conducting the Audit
In a direct assurance engagement, the audit team decides on the nature and scope of the underlying subject matter to be reported on. This decision is based on an understanding of the subject matter, including relevant internal controls (OAG Audit 4010 Understanding the subject matter in planning an audit; OAG Audit 4020 Risk assessment).
CSAE 3001 requires the audit team to obtain an understanding of the underlying subject matter and other engagement circumstances sufficient to enable it to identify and assess the risks of significant deviation (negative audit findings) in the underlying subject matter. As part of understanding the subject matter, the audit team is also required to obtain an understanding of internal control relevant to the engagement.
A relevant internal control is one designed to mitigate the risks of significant deviation in the underlying subject matter. In a performance audit, relevant internal control generally encompasses controls beyond those related to financial reporting. They may include internal controls related to the governance, management and performance of the underlying subject matter. For example, an internal control can be the process performed by an entity to ensure that applicants meet the eligibility criteria before issuing a grant. Professional judgment is essential in identifying internal controls relevant to the performance audit and determining the extent of audit work required (see OAG Audit 1042 Applying professional judgment).
Obtaining an understanding of internal control includes evaluating the design of those controls pertinent to the objective of the engagement and, if relevant, determining whether they have been implemented. Identifying and assessing risk of significant deviation and developing an understanding of relevant internal controls enables the audit team to determine the scope of the performance audit, refine the objective, finalize the development of suitable criteria and design procedures to obtain sufficient and appropriate evidence to support a conclusion on the objective.
When the objective of the performance audit is to conclude on a specific outcome of a program or process, examination of internal control at either the entity or underlying subject matter level may not be relevant.
To properly document the nature and extent of the audit work performed, the audit team should demonstrate how information gathered through its risk assessment and work on internal controls links to the scope and approach of the audit. Documentation is discussed in OAG Audit 1111 Nature, purpose, and extent of audit documentation. OAG Audit 4042 Audit scope and approach, contains guidance on scoping the audit and designing its approach. To facilitate the planning process and to document its decisions, the audit team completes the audit procedures along with the following tools:
- Engagement Risk Assessment Template
- Functional Risk Identification Template
- Risk and Controls Assessment Template
- Audit Logic Matrix
An additional OAG template is also available to teams to help document their assessment of controls—the Control Worksheet.
Understanding Internal Control—the Control Environment
In all audits, teams need to understand the control environment as part of planning the audit. The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation of internal control, providing discipline and structure. The audit team may develop an understanding of the entity’s control environment by gathering and analyzing information about the entity’s:
- Governance, and the independence of those charged with governance (i.e., the structures, reporting lines, authorities and responsibilities established in pursuit of its objectives);
- Commitment to integrity and ethical values;
- Oversight of its system of internal control;
- Service delivery model;
- Management of risk;
- Commitment and ability to attract, develop and retain competent individuals in alignment with its objectives;
- Governance and management of its information and related technology;
- The competence of the entity’s people;
- Management’s philosophy and operating style; and
- The rigour around performance measures, incentives, and rewards that helps increase accountability for performance.
Identifying Internal Controls
In understanding the control environment, the audit team identifies the relevant controls that help the entity(ies) mitigate the various subject matter risks identified during the team’s risk assessment. Identification of relevant internal controls is done for each risk identified. To identify relevant controls, think about the policies and procedures that are critical to mitigating the identified risks–what the entity cannot live without. The aim is to identify controls that, if ineffective, create a higher risk of a significant deviation (i.e., a negative audit finding).
Internal control relevant to the underlying subject matter may include internal controls that have a pervasive effect on other aspects of an entity’s operations. These controls are sometimes referred to as entity-level controls. The governance and management of enterprise risk, information and related technology, and human resources are examples of such controls. However, the relevance of these controls to an underlying subject matter is dependent on the objective of the performance audit. For example, when the underlying subject matter is a public sector entity’s grants process and the objective of the audit is the efficiency of the process, internal control over human resources management may not be relevant to the engagement. Whereas internal control related to the entity’s information and related technology may be relevant to such an audit if the practitioner is relying on information generated by the entity’s grants payment system.
In other situations, internal control relevant to the engagement may be limited to controls designed to mitigate the risk of significant deviation from the applicable criteria, such as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties. For example, a control to ensure that education credentials align with job requirements for all new employees may be relevant when conducting a performance audit of the effectiveness of hiring processes.
There may not be a one-to-one relationship between controls and risks. For example, a risk may have more than one control used to mitigate it and a control may be used to mitigate multiple risks. The audit team should capture the relevant controls that best respond to the risks identified. Techniques to identify relevant controls include a review of an entity’s own documentation, and discussion with entity management.
Determining the extent of work required
Once the audit team has obtained an understanding of the internal controls relevant to the audit, it determines the extent of work required on internal controls. It considers the subject matter of the audit objective and whether internal controls are relevant to the audit such as when the audit is about the functioning of controls. The extent of work to do on controls, whether to evaluate their design and determine their implementation depends on whether controls are relevant to the audit.
When the objective of the performance audit is to assess the design or implementation of internal control over a process, the internal control becomes the underlying subject matter. The audit team’s expectations for the effective design and, if relevant, implementation of the internal controls become the applicable criteria. The audit team may assess the effective design and, if relevant, implementation of these internal controls outside of the planning process, for example during the examination phase.
Internal controls are relevant to the objective of the audit
When controls are relevant to the objective of the audit, the audit team evaluates the design of internal controls by documenting the controls, and identifying deficiencies such as poorly designed or missing controls, if any. It is not required to evaluate the design and implementation of the controls during the planning phase if this work will be carried out in the examination phase.
Internal controls may also be used as a source of evidence.
Special Examinations. This situation applies to all special examinations, as internal controls are always included as the subject matter of a special examination. The objective of a special exam is to provide the corporation with reasonable assurance that it is meeting its statutory control objectives. Under the Financial Administration Act, the audit team is required to provide an opinion on the corporation’s systems and practices (controls) selected for examination. Therefore, audit teams must consider the control environment, identify the key internal controls (i.e., systems and practices) that the Crown corporation uses to mitigate the risks it faces and assess the suitability of the design and implementation of the controls.
The OAG has developed a set of core systems and practices and related standard criteria that must be examined in every special examination. In addition, there may be other risks specific to the Crown corporation that should also be included on the basis of the team’s risk and controls assessment. The final audit scope and approach must respond to the assessed risks, taking into account the team’s understanding of internal controls relevant to the engagement.
Performance audit. This situation applies to performance audits at a minimum where internal controls are the subject matter of the audit. Examples are where the audit objective is to assess design, implementation, and operation of controls such as:
Example 1: The audit objective was to determine whether selected government systems and practices to prevent the illegal entry of people into Canada are working as intended (Chapter 5—Preventing Illegal Entry Into Canada, tabled in fall 2013).
Example 2: The audit objective was to determine whether, when outsourcing building management services, Public Works and Government Services Canada had adequate controls to ensure selected obligations (i.e., environment and health and safety, building security, operational building continuity accessibility, and fairness when subcontracting) would be met (Chapter 7—Outsourcing Building Management Services, tabled in spring 2014).
Internal controls are not relevant to the objective of the audit
When internal controls are not the subject matter of the audit, internal controls may not be relevant to the audit. In such cases, audit teams are not required under CSAE 3001 to evaluate the design of internal controls or if the controls have been implemented. This may be the case when the objective of the audit is to conclude on a specific outcome. However, while evaluation of design and implementation is not required, it is helpful for the audit teams to be aware of controls to assist with understanding the risks to the subject matter of the audit and why an outcome may have occurred.
Special Examinations. This situation never applies to special examinations (due to the nature of the special examination opinion, as noted above).
Performance Audit. This situation may apply to performance audits where internal controls are not the subject matter of the performance audit. Examples are where the audit objective is to assess something other than controls (generally an outcome or result) such as:
Example 1: The audit objective was to determine whether Veterans Affairs Canada had facilitated timely access to services and benefits for veterans with mental illness (Chapter 3—Mental Health Services for Veterans, tabled in fall 2014).
Example 2: The audit objective was to determine whether Correctional Service Canada (CSC) provided correctional interventions to offenders in a timely manner to assist in their rehabilitation and reintegration into the community (Report 6—Preparing Male Offenders for Release—Correctional Service Canada, tabled in spring 2015).
Evaluating the Suitability of the Design of Relevant Controls
Evaluating the suitability of design of controls is required if the controls are relevant to the audit. The audit team may assess the effective design and implementation of these internal controls outside of the planning process, for example during the examination phase.
The audit team evaluates the design of internal controls by documenting the controls, and identifying deficiencies such as poorly designed or missing controls, if any. The audit team evaluates the design of each relevant control identified and concludes on the suitability of the design. A control is suitably designed if the way it is supposed to work would provide reasonable assurance to mitigate risks to the achievement of objectives (i.e., is it capable of effectively preventing, or detecting and correcting the risk it is intended to address?). An improperly designed control may represent a significant deficiency (i.e., a negative audit finding) in an internal control.
Control design is evaluated first because there is little point in evaluating the implementation of a control if its design is not suitable.
Considerations for evaluating design suitability: The audit team considers many factors when evaluating the suitability of a control’s design. Several factors for consideration are listed below. These factors are considered together and are often interrelated. No one element is necessarily more important than another; however, sometimes one fatal flaw can render a control ineffective.
Existence. A relevant control that is missing or non-existent has by definition an unsuitable design.
Purpose and relevance. The ability of the control to support the achievement of the related objective and mitigate the associated risks. Is the control aligned with the risks? Will it do what it is intended to do?
Completeness and/or coverage. Relates to applying the control to the area being managed. Is it being applied to all required elements? Are all relevant factors or elements considered? For example, a quality control review to check payment accuracy would be incomplete if it was not being performed on all benefit types. A performance indicator would be incomplete if it excluded a key portion of the operation it was being used to measure. In cases where a control is applied against a sample of transactions instead of the entire population, does the entity have an adequate risk-based approach?
Timeliness. The timeliness of the control in responding to events. Is the control applied in a timely manner to respond to related events? Several aspects of timeliness may need to be considered—the time to collect the information required, the time required to identify an exception or anomalies, as well as the time to take corrective action in response. For example, the timeliness of a monthly control performed three months in arrears may be problematic.
Frequency. How often the control is performed. Is the control performed at the right frequency (daily, monthly, annually)?
Clarity. The control is well documented and communicated to the officials responsible for applying it.
Degree of consistency, discretion, and/or subjectivity. The extent the control is pre-defined and objective. Is its application pre-defined or subject to interpretation and judgment? Are the expectations clear (i.e. is it clear what is and what is not a deviation and what the required actions are in response)? Automation, for example, may allow for errors and anomalies, that are typically human, to be eliminated.
Level of segregation. The degree of separation between the control and the activity being controlled as well as the degree of segregation between the various functions within the control itself. Is the control’s operation segregated from the process being controlled (to ensure exceptions or irregularities are actually captured, avoid conflicts of interest)? Are the various activities involved in the control itself separated? The more separation there is, the stronger the control is to prevent malfunctions, errors, and mitigate the related risks.
Reliability of the information used by the control. Is the information used to perform the control reliable (i.e. if the control’s operation relies on reliable management information, how does the entity know the information is reliable)?
Competence of the people involved in performing the control. People with the appropriate knowledge and experience are involved in conducting the control.
Follow-up actions taken to respond. There is an appropriate and clear response to issues identified by the control and it is enforceable. Are identified issues or anomalies acted upon appropriately and in a timely fashion?
Evaluating the Implementation of Relevant Controls
Evaluating the implementation of controls is required if the controls are relevant to the audit and the audit team concludes that their design is suitable. If the audit team concludes that the design of a control is not suitable, then evaluating its implementation becomes irrelevant.
The audit team determines the implementation of each relevant control identified, where design has been evaluated as suitable. A control has been implemented if it is functioning in one instance (i.e., it is present as designed at a point in time). To determine implementation, the audit team considers how the control actually works in one instance compared to the way it is supposed to work (its design). In forming a conclusion about a control’s implementation, the audit team considers to what extent any differences between implementation and design affect the ability of the control to mitigate the related risk.
Evaluating the implementation of a control is different from testing the operating effectiveness of a control. Implementation is evidenced at a point in time, while evaluating operating effectiveness involves testing a control’s operation over time.
Nature of Work Performed to Evaluate the Design and Implementation of Controls
When controls are relevant to the audit, CSAE 3001 requires the audit team to evaluate the suitability of design and determine the implementation of controls by performing procedures in addition to interviewing responsible entity personnel. Procedures to obtain evidence about the design and implementation of relevant controls include:
- interviewing entity personnel,
- observing the application of specific controls,
- reviewing documents and reports, and
- performing walkthroughs.
Walkthroughs. A walkthrough is an in-depth inquiry and observation of a process that allows the audit team to understand controls by following transactions through the system of control. Typically, entity personnel responsible for key components of the control demonstrate to the audit team, the flow of transactions through the system of control. It is used to obtain detailed knowledge of the control activities performed by tracing activities and events from their origin to the end of the activity. Typically, a single walkthrough is sufficient for each control. Further guidance is provided below on when additional walkthroughs or other work may be needed.
A walkthrough generally includes a combination of inquiry, observation, inspection of relevant documentation, and re-performance of controls. The mix of these procedures depends on the nature of the control. The purpose of a walkthrough is to confirm the team’s understanding of controls, evaluate the suitability of the design of controls, and confirm whether controls have been implemented.
During the walkthrough, the team applies professional skepticism and asks the entity to support its explanations by providing reports and procedure manuals or other documents used in, or generated by, the performance of the controls.
To prepare for a walkthrough, the audit team starts by obtaining and reviewing relevant documentation describing the process and activities, including the roles and responsibilities of various entity officials. In reviewing the documentation, the team also determines what processes exist for items outside the normal processing flow (items that are non-routine). This allows the audit team to form a preliminary understanding of the design of the control before developing a more detailed plan for the walkthrough. The audit team uses this process to compare and contrast the way the control is described (design) with the way it actually works in one instance (implementation).
During the walkthrough, at least one transaction from each key procedure is selected and traced through the process from beginning to end. At each point where important processing activities occur, the audit team questions entity personnel involved in significant aspects of the process about their understanding of what is required by the entity’s prescribed procedures, and it determines whether the processing procedures are performed as originally understood and on a timely basis. The auditor follows the process flow using the same documents and information technology that personnel use. Consequently, the audit team may need more than one meeting to question all personnel responsible for significant procedures and controls and to observe or trace all relevant steps in a process. The team remains alert for exceptions to the entity’s prescribed procedures.
The team corroborates information at various points in the walkthrough; for example, by asking personnel to describe their understanding of the previous and succeeding processing or control activities and to demonstrate what they do. The team also asks follow-up questions that could help identify the control deviations or indicators of fraud.
The audit team identifies and documents evidence examined and/or observed to support its understanding and evaluation of the design and determination of the implementation of the control. The team documents the walkthrough, summarizes control deficiencies, and evaluates the effect on its audit approach. The extent of inquiry and examination of documents when performing a walkthrough is sufficient to enable the team to conclude on the design and whether the controls have been implemented, but it is not sufficient for testing the operational effectiveness of controls. For example, when performing a walkthrough, the audit team would ordinarily trace a single example of a particular type of transaction. Although a walkthrough needs to consider the whole process, for portions of the process, different transactions may be used at different stages of the process to perform the walkthrough.
In the event that the same relevant control is performed by more than one person, or in multiple locations, we may need to walkthrough those processes as well.
Documenting the work. For each relevant control, the audit team documents its evaluation and conclusions. The important elements to document include:
- the name of control being evaluated,
- the associated risk(s) it is supposed to mitigate,
- evaluation of the suitability of the design,
- determination of the implementation (if design is suitable),
- overall conclusion on both design and implementation including rationale, and
- summary and links to work performed in support of the evaluation and conclusion.
The format of the documentation could vary; however, the audit team is encouraged to use the control worksheet to document its evaluation and conclusion on the suitability of design and the determination of implementation of each relevant control because the worksheet includes all key elements to consider.
Documentation of a walkthrough does not have to include everything that was discussed, rather the documentation should focus on the appropriate work done so that a reviewer can understand what evidence was seen and what the findings were so that matters where judgments have been made are adequately supported. It typically includes:
a concise description of the control and processes reviewed (i.e., key steps in its process);
the personnel, documents, and reports seen (i.e., who the audit team met and when, who attended from the OAG; specific evidence, reports examined); and
a concise description of any detailed review or observations, including any validation or testing performed.
Multi-location audits. As indicated above, typically the audit team performs one walkthrough for each control. If controls are performed in parallel in different locations, it may not be appropriate to assume that controls at different locations are the same. Additional walkthroughs may be required.
Multi-entity audits. For audits where the subject matter is spread across more than one entity, with each entity fulfilling a unique role, the work on risks and controls at the planning stage only needs to be done once. However, the meetings with entity staff and walkthroughs may take the team through different entities. For an audit where different entities have the same subject matter objectives, each entity becomes a sample, to see how the same subject matter is managed in different parts of the government. If we are examining the same subject matter in different entities, management of the subject matter could vary across the entities, and their risks and controls may be different. In this case, teams may need to perform separate risk and control assessments at the planning stage for each entity.
Controls in smaller organizations. In smaller entities, the controls may be informal; e.g., the activities may not be documented or reported. However, such controls can be tested through effective meetings with entity personnel, by making in-depth inquiries, observation, and corroboration of management, on how the controls operate and taking follow-up action to corroborate with other people. In a smaller organization, it may not be possible to have an appropriate segregation of duties. In such cases, teams need to look for compensating controls.
Next steps—Impact on Scope and Approach
When done during the planning phase, the work on the design and implementation of internal controls can inform the team’s overall risk-based planning decisions about the audit scope and approach (OAG Audit 4042 Audit scope and approach).
Close attention should be given to areas assessed as high risk with control deficiencies because these are areas with potentially high residual risk—the risk that remains even when controls are in place to mitigate the inherent risk.
The audit team should ensure that the audit approach and work program comprise specific procedures to address significant risks identified. The final design is documented in the audit logic matrix (ALM). OAG Audit 4044. Developing the audit strategy: audit logic matrix discusses the ALM in more detail.
Testing operational effectiveness. There is rarely a need to determine or test the operational effectiveness of controls of a performance audit or special examination in the planning phase. However, it is not unusual to test operational effectiveness of relevant controls as part of the examination phase, if they are relevant to the audit and/or form the audit objective, as a way to gather sufficient appropriate evidence in support of the team’s assessment of a situation against audit criteria. Testing operational effectiveness of a control involves determining if relevant elements of the control are functioning and continue to operate during the period under examination. This is particularly true in special examinations.
More extensive testing is required when operational effectiveness is examined. For example, obtaining audit evidence about the implementation of a manual control at a point in time does not provide audit evidence about the operating effectiveness of the control at other times during the period under audit. In testing operational effectiveness, the audit team designs procedures to obtain evidence about the functioning of the control during the period covered by the audit, including:
- how the controls were applied at relevant times during the period under audit,
- the consistency with which they were applied,
- by whom or by what means they were applied, and
- the dependency of the control on other activities and information.