COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.
4070 Audit Programs
Linked to the audit logic matrix, audit programs contain detailed information about the audit work that will be done to assess the audit criteria. Generally, the audit team develops one audit program for each line of enquiry (area to be audited). If audit procedures are incorporated in the ALM instead of developing separate audit programs, requirements in this section must still be followed.
CSAE 3001 Requirements
44. The practitioner shall plan the engagement so that it will be performed in an effective manner, including setting the objective, scope, timing and direction of the engagement, and determining the nature, timing and extent of planned procedures that are required to be carried out in order to achieve the objectives of the practitioner. (Ref: Para. A2-A3, A85-A89)
53R. Based on the practitioner’s understanding (see paragraph 51R) the practitioner shall: (Ref: Para. A110-A114)
(a) Identify and assess the risks of significant deviation; and
(b) Design and perform procedures to respond to the assessed risks and to obtain reasonable assurance to support the practitioner’s conclusion. In addition to any other procedures on the underlying subject matter that are appropriate in the engagement circumstances, the practitioner’s procedures shall include obtaining sufficient appropriate evidence as to the operating effectiveness of relevant controls over the underlying subject matter when:
(i) The practitioner intends to rely on the operating effectiveness of those controls in determining the nature, timing and extent of other procedures, or
(ii) Procedures other than testing of controls cannot alone provide sufficient appropriate evidence.
54R. The practitioner’s assessment of the risks of significant deviation may change during the course of the engagement as additional evidence is obtained. In circumstances where the practitioner obtains evidence which is inconsistent with the evidence on which the practitioner originally based the assessment of the risks of significant deviation, the practitioner shall revise the assessment and modify the planned procedures accordingly. (Ref: Para. A114)
55. When designing and performing procedures, the practitioner shall consider the relevance and reliability of the information to be used as evidence. If:
(a) Evidence obtained from one source is inconsistent with that obtained from another; or
(b) The practitioner has doubts about the reliability of information to be used as evidence,
the practitioner shall determine what changes or additions to procedures are necessary to resolve the matter, and shall consider the effect of the matter, if any, on other aspects of the engagement.
CSAE 3001 Application Material
A86.The practitioner may decide to discuss elements of planning with the appropriate party(ies) to facilitate the conduct and management of the engagement (for example, to coordinate some of the planned procedures with the work of the appropriate party(ies)’s personnel). Although these discussions often occur, the overall engagement strategy and the engagement plan remain the practitioner’s responsibility. When discussing matters included in the overall engagement strategy or engagement plan, care is required in order not to compromise the effectiveness of the engagement. For example, discussing the nature and timing of detailed procedures with the appropriate party(ies) may compromise the effectiveness of the engagement by making the procedures too predictable.
A87.Planning is not a discrete phase, but rather a continual and iterative process throughout the engagement. As a result of unexpected events, changes in conditions, or evidence obtained, the practitioner may need to revise the overall strategy and engagement plan, and thereby the resulting planned nature, timing and extent of procedures.
A110.The practitioner chooses a combination of procedures to obtain reasonable assurance or limited assurance, as appropriate. The procedures listed below may be used, for example, for planning or performing the engagement, depending on the context in which they are applied by the practitioner:
- Analytical procedures; and
A111.Factors that may affect the practitioner’s selection of procedures include the nature of the underlying subject matter; the level of assurance to be obtained; and the information needs of the intended users and the engaging party, including relevant time and cost constraints.
A114.An assurance engagement is an iterative process, and information may come to the practitioner’s attention that differs significantly from that on which the determination of planned procedures was based. As the practitioner performs planned procedures, the evidence obtained may cause the practitioner to perform additional procedures.
Audits shall have audit programs that outline detailed steps for the audit work to be done for each line of enquiry. Audit programs shall be designed to enable the audit team to conclude against the audit criteria while remaining within the budget and timelines of the audit. [Nov-2011]
What the CSAE 3001 means for developing audit programs
The CSAE 3001 requires that audit team members design audit procedures to respond to the identified risks of significant deviation in order to obtain reasonable assurance to support the audit conclusion. When designing audit procedures, the CSAE 3001 also requires audit team members to consider the objective, scope, timing, and direction of the engagement, as well as the reliability and relevance of information to be used as evidence.
The audit programs are essential “maps” of how the team will obtain evidence to assess entities against the criteria and conclude against the objective. Audit team members should be aware of the potential need to modify the audit programs during the course of the audit as a result of evidence obtained, unexpected events, or changes in conditions of the audit.
Developing audit programs
As the audit logic matrix is being finalized, the audit team begins developing audit programs. Audit programs provide more detail than the audit logic matrix on the audit steps to be covered during the examination phase. Audit programs should be of sufficient detail to clearly communicate the nature of the work to be done, to ensure that the audit team members understand their responsibilities and to track progress. If audit procedures are incorporated in the ALM instead of developing separate audit programs, requirements in this section must still be followed.
The audit programs should be developed to collect sufficient appropriate audit evidence (OAG Audit 1051 Sufficient appropriate audit evidence) and to respond to the risks of significant deviation identified during the planning phase (OAG Audit 4020 Risk assessment) in order to obtain reasonable assurance to support the conclusion.
Each audit program includes
the overall audit objective(s);
the relevant line(s) of inquiry, criteria, and audit questions (as well as the systems and practices selected for special examination);
the approach and methodology to be used for gathering evidence (e.g. sampling, review of documentation);
the planned reliance on work performed and/or reports prepared by internal audit, OAG internal specialists, and consultants and specialists engaged by the entity (and the work performed by the annual audit team, if relevant);
the information to be requested from entities;
how the evidence will be analyzed;
assignment of responsibilities to team members; and
the estimated budget and timeline for each step and the resources required.
There are many ways to collect the data that will provide the required audit evidence. Questions about the best way to gather the right kind of data for analysis begin when the audit team is developing the audit logic matrix (OAG Audit 4044 Developing the audit strategy: audit logic matrix). The audit objectives and criteria determine the kind of data to be gathered, the appropriate tests, and the type of analysis to be conducted. OAG Audit 4045 Evidence-gathering methods and OAG Audit 1052 Audit procedures for obtaining audit evidence provides information on the data-gathering methods.
Audit teams consult relevant internal specialists when developing audit programs.
Resourcing the audit based on the planned work
Audit programs are the basis for developing detailed budgets for the examination and reporting phases of the audit. Once the audit team has determined the work that is required for the audit, work is allocated by team member and by month in order to develop the final budget for the audit. The audit director should do this keeping in mind the availability, level, and experience of team members; a realistic estimate of the time required for each task; and any other constraints.
Approval of audit programs
Audit programs (or audit procedures in the ALM) are developed by team members and approved by the audit director. Significant changes or subsequent modifications to the audit programs (or audit procedures in the ALM) should be documented by the team and approved by the audit director.
As work proceeds in the examination phase, the audit team documents the work performed and the findings for each step. As a result of evidence obtained in the course of the audit, unexpected events or changes in conditions of the audit, audit programs might need to be modified. The auditor evaluates such information in terms of its impact on the audit programs and amends them when appropriate.
OAG Audit 7021 Evaluate the sufficiency and appropriateness of audit evidence describes the process for completing the audit program and analyzing audit evidence to ensure it is sufficient and appropriate.
Once completed, audit programs are the basis upon which the engagement leader will determine if sufficient appropriate evidence has been gathered to draw a conclusion against the audit objective (OAG Audit 7040 Audit conclusion).