Methodology Update—September 2022
Sep-2022

Target audience: All Attest Auditors

Effective date: The revised methodology is effective upon release.

Standards: This update reflects up to CPA Canada—Assurance—Update Number 37—May 2022 (excluding revisions to Canadian standards on quality management at the firm and engagement level, including CSQM 1, CSQM 2 and CAS 220,  which will be reflected in a future methodology update).

Description of subject: The update includes changes to audit manual policies and guidance, audit procedures, templates and Intranet pages. Significant changes to the methodology are summarized below.

Key changes are:

  • New and updated manual sections, to reflect the revised CAS 315R Identifying and Assessing the Risks of Material Misstatement (CAS 315R). The manual was completely reorganized and restructured to insert CAS 315R changes.

  • Normal lower and normal higher inherent risk level have been changed to normal and elevated inherent risk level.

  • New and updated procedures to reflect the revised CAS 315R.

  • New guidance and new and updated procedures for assessing climate‑related risks.

  • New guidance related to certain aspects when preparing legal confirmations.

  • Updated guidance in matters to consider when reviewing minutes.

  • New guidance on extent of understanding and evaluation of internal controls prior to planning sign‑off.

Updates to the Manual

A number of revisions have been made to the annual audit manual sections. The following is a summary of all revisions other than editorial revisions, revisions made solely to CAS extracts or revisions made solely to procedure references:

Section Section Title Nature of Changes
SofQC Sections

1041

Applying Professional Skepticism

New examples of areas where professional skepticism is particularly important when performing annual audits as a result of CAS 315R

1052

Audit procedures for obtaining audit evidence

Enhanced guidance for analytical procedures as a result of CAS 315R

Glossary

Glossary

Updated and added several definitions, including CAS 315R related terms
Annual Audit Sections

1021

Compliance with CAS Objectives and CAS Requirements

Updated guidance for scalability and smaller entities

2041

Data auditing (Using Detailed Electronic entity data and data analysis tools in audit procedures)

Enhanced guidance as a result of CAS 315R

2042

Considerations for using detailed electronic entity data in audit procedures

CAS 315 revised—minor wording change

2051

Using system generated reports

Enhanced guidance on reports generated through end user computing

2101

Introduction

Enhanced guidance as a result of CAS 315R

2102

Overall materiality

Minor wording change

2103

Performance materiality

Enhanced guidance as a result of CAS 315R

2105

De Minimis SUM Posting Level

Enhanced guidance as a result of CAS 315R

2331

Obtaining an Understanding of the Group, Its Components, and Their Environments as Part of Our Risk Assessment Procedures

Enhanced guidance as a result of CAS 315R on Understanding of the system of internal control, including IT, as it relates to the consolidated financial statements of the group

2332

Risk Assessment at the Group Level

Enhanced guidance as a result of CAS 315R

3081.1

Summary of matters for consultations

Updated to reflect changes made throughout the audit manual

3102

Involvement of IT Audit

Enhanced guidance as a result of CAS 315R

Policy change for involvement of IT audit team

4011

Purpose, attendance and timing of the team planning meetings

 Enhanced guidance as a result of CAS 315R

4025

Timing of understanding and evaluation of internal controls

Enhanced/or new guidance on Extent of understanding and evaluation of internal controls prior to documenting the risk assessment and planning sign‑off

4028—IT testing strategy

4028.1

Introduction

Complete reorganization of these sections as a result of CAS 315R

New and enhanced guidance as a result of CAS 315R

4028.2

Is testing of ITGCs likely to be efficient and effective?

4028.3

ITGC testing

4028.4

Testing IT dependencies with and without ITGC reliance

4031

Develop and document an audit plan

New and enhanced guidance as a result of CAS 315R

Deleted OAG policy related to including the Audit Planning Template in the audit file

5011

Risk assessment procedures and related activities

New and enhanced guidance as a result of CAS 315R

5012—Develop initial expectations about risks of material misstatement and the classes of transactions, account balances and disclosures that may be significant

5012.1

Overview

New and enhanced guidance as a result of CAS 315R

5012.2

Use of risk assessment analytical procedures

5012.3

Develop initial expectations about risks of material misstatement and the classes of transactions, account balances and disclosures that may be significant

5013

Determine the Competencies and Capabilities Required to Perform Risk Assessment Activities

New section as a result of CAS 315R

5020—Understanding the Entity and Its Environment, and the applicable financial reporting framework

5021

Understanding The Entity And Its Environment

New and enhanced guidance as a result of CAS 315R

5022

Organizational structure, ownership and governance, and business model

New and enhanced guidance as a result of CAS 315R and minor wording changes

5023

Extent to which the entity’s business model integrates the use of IT

5024

Industry, Regulatory And Other External Factors

5025

Measures used, internally and externally, to assess the entity’s financial performance

5026

Understanding the Entity’s Climate Related Risks

New section for understanding the entity’s climate‑related risks

5027

Understand the applicable financial reporting framework, and the entity’s accounting policies

New and enhanced guidance as a result of CAS 315R and minor wording changes

5028

Understand how inherent risk factors affect susceptibility of assertions to misstatement

5029

Scalability

5030—Understand the entity’s system of internal control, including IT environment

5031

Internal Control and Its Relevance to the Audit

New and enhanced guidance as a result of CAS 315R and minor wording changes

5032

Components of Internal Control—Control Environment

5033

Components of Internal Control—The Entity’s Risk Assessment Process

5034

Components of Internal Control—Information System and Communication

5035—Components of Internal Control—Control Activities

5035.1

Identify controls that address risks of material misstatement at the assertion level

New and enhanced guidance as a result of CAS 315R and minor wording changes

5035.2

Identify the risks arising from the use of IT and the related ITGCs

5035.3

Segregation of duties

5035.4

Information processing objectives

5035.5

Evaluate design and implementation of controls

5035.6

Scalability

5036

Components of internal control—The entity’s process to monitor the system of internal controls

New and enhanced guidance as a result of CAS 315R

5037

Control deficiencies within the entity’s system of internal control

5041

Identify Risks of Material Misstatement

New and enhanced guidance as a result of CAS 315R and minor wording changes

5042

Determine relevant assertions and significant FSLIs

5043—Financial statement level risks

5043.1

Risk assessment framework

New and enhanced guidance and updated  policy in 5043.1 as a result of CAS 315R

Inherent risk level Normal lower, normal higher level have been changed to normal and elevated inherent risk level in 5043.3

5043.2

Assess risks at the financial statement level

5043.3

Assess risks at the FSLI assertion level

5044

Perform overall evaluation

New and enhanced guidance as a result of CAS 315R

5502

Fraud Risk Factors

Enhanced guidance on identifying fraud risk factors, indicators of fraud risks, fraud schemes, and indicators that may suggest the existence of fraud

5504

Risk Assessment And Related Activities

Guidance Document Fraud Risks in the audit file deleted

6011

Identify and document relevant controls

Deleted as the content of this section is now included in other sections

6012

Information processing objectives

6013

Segregation of Duties

6014

Auditing enterprise resource planning systems

6015

Involving a controls assurance specialist

6021

Understand and evaluate the IT environment

Deleted as the content of this section is now included in other sections

6022

Identify relevant IT risks and dependencies

6023

Understand and evaluate relevant ITGCs

6024

IT testing strategy

6025

Testing IT dependencies with and without ITGC reliance

6041

Use Of Service Organizations

New and enhanced guidance as a result of CAS 315R

6043

Service Organization Audit Evidence

Enhanced guidance as a result of CAS 315R

6053

Extent of controls tests

Enhanced guidance for sample sized for dual purpose tests

7043.1

A five step approach to performing accept‑reject testing

Enhanced guidance for applying accept‑reject testing to populations fewer than 200 items

7062

Planning to attend physical inventory counting

New guidance for attending virtual inventory observations

7073.1

Step 1: Perform Risk Assessment Procedures

Enhanced guidance as a result of CAS 315R

7073.6

Step 6: Test Data

New guidance for considerations when using third party information sources

7511

Responsibilities in relation to laws and regulations

New and enhanced guidance as a result of CAS 315R

7522

Risk assessment procedures and related activities

New and enhanced guidance that provides indicative of material uncertainty about the entity’s ability to continue as a going concern

7542

Communication with Entity’s External Legal Counsel

New guidance related to certain aspects when preparing legal confirmations

7561

Minutes of Meetings

Enhanced guidance in Matters to consider when reviewing minutes

7581

Testing reconciliations

Deleted guidance to align section with CAS 315R

8012

Audit report

Updated sections to reflect new requirements for Ontario and Quebec CPAs  when signing independent auditor’s report

8036

Material misstatements in the financial statements or the need to update our understanding of the entity and its environment

Minor wording changes

9054

Formal requirements on written representation

Enhanced guidance for using electronic signatures

Updates to the Annual Audit Procedures

The procedures included in TeamMate library cabinets and on your C Drive have not been updated since we are migrating to Caseware at a later date. The new and updated procedures related to this methodology update can be found in PROXI document 2077926. It is important that teams make sure they have updated their file with procedures found in the PROXI document in order to be CAS 315R compliant.

Action required: Ensure you have the most updated procedure steps and procedure documents moving forward.

Updates to templates

The following is a summary of all revisions other than editorial revisions and any actions that need to be taken:

Planning

Audit Planning Template— Instructions

New instructions have been added as a result of CAS 315R

Instructions need to be used by all audit teams using TeamMate to plan their audit file.

Planning

IT Audit Planning Memorandum

Updated

Updated with the enhanced guidance as a result of CAS 315R and the OAG 3102 policy change for involvement of IT Audit team
Planning Internal Control Framework FAQ and Guide Deleted This template is removed with the new and updated procedures to reflect CAS 315R
Planning Summary of IT Dependencies and Testing Strategy Deleted This template is removed with the new and updated procedures to reflect CAS 315R
Planning Virtual Inventory Observations Documentation Template Added to Templates and Checklists None
Annual Audit Templates
Phase Template Name Change Action Required/Impact

Updates to INTRAnet

The Financial Audit INTRAnet pages reflect the changes included in this Methodology Update.