1031 Ethical Requirements Relating to an Assurance Engagement

Dec-2023

Relevant ethical requirements

As a legislative audit office, we have a responsibility to act in the public interest. In doing so, we observe and comply with the OAG’s Code of Values, Ethics and Professional Conduct which is applicable to all Office employees.

To perform any assurance engagement, team members also need to observe and comply with relevant rules of professional conduct/codes of ethics applicable to the practice of public accounting issued by the various professional accounting bodies in Canada. In most of our engagements, the applicable rules are the CPA Code of Professional Conduct issued by the relevant provincial order. This means that a team member that is a non-member of any CPA order in Canada is required to observe and comply with relevant rules of CPA Code of Professional Conduct to perform an engagement. Team memberss who belong to a different professional association may also be governed by the codes and by-laws of that body.

Relevant ethical requirements are derived from five fundamental principles of ethics:

• professional behaviour,
• integrity and due care,
• objectivity,
• professional competence,
• confidentiality.

Professional behaviour. Employees conduct themselves at all times in a manner that will maintain the good reputation of the profession and the Office and its ability to serve Parliament, territorial legislatures, governments, and Canadians.

In doing so, employees are expected to avoid any action that would discredit the Office of the Auditor General of Canada. An employee’s behaviour should be based primarily on a reputation for professional excellence. An employee is expected to provide other employees with the courtesy and consideration he or she would expect to receive from them.

Integrity and due care. To be straightforward and honest in all professional and business relationships and to act diligently and according to applicable technical and professional standards.

Employees are expected to be straightforward, honest, and fair in all professional relationships. A person who acts with honesty and truthfulness, and whose actions, values, and principles are consistent, is described as having integrity. The expectation to operate with due care requires employees to act diligently and according to applicable technical and professional standards when performing assurance engagements. Diligence includes the responsibility to act, in respect of an engagement, carefully, thoroughly, and on a timely basis.

Objectivity. To not allow bias, conflict of interest, or the undue influence of others to override professional or business judgments.

Parliament, territorial legislatures, governments, and Canadians expect the Office of the Auditor General of Canada to bring objectivity and sound professional judgment to its work. It is thus essential that an Office employee does not put external influences or the will of others before professional judgment.

The public interest in the objectivity of the Office requires that the Office and its employees be, and be seen to be, free of influences that would impair the Office’s and its employees’ objectivity. Accordingly, the Office and its employees must be independent. The ethical standard of independence requires the Office and its employees to be and remain free of any influence, interest, or relationship regarding an entity’s affairs that impairs or, in the view of a reasonable observer, would impair the Office’s and its employees’ professional judgment or objectivity. An objective person does not allow bias, conflict of interest, or the influence of others to compromise judgment.

Regarding both independence and conflicts of interest, the Office employs the criterion of whether a reasonable observer would conclude that a specified situation or circumstance posed an unacceptable threat to the Office’s and its employees’ objectivity and professional judgment. Only then can public confidence in the objectivity and integrity of the Office be sustained; the reputation and usefulness of the Office rest upon this public confidence. A “reasonable observer” is a hypothetical individual who has knowledge of the facts that the Office and its employees knew or ought to have known, and applies judgment objectively with integrity and due care.

Professional competence. To maintain professional knowledge and skill at the level required to ensure that an entity receives competent professional services based on current developments in practice, legislation, and techniques.

Parliament, territorial legislatures, governments, and Canadians expect the Office of the Auditor General of Canada and its employees to maintain a high level of competence. This underscores the need to maintain individual professional skill and competence by keeping abreast of and complying with developments in professional standards and pertinent legislation in all areas where the Office and its employees practise or are relied upon.

Confidentiality. To respect the confidentiality of information acquired as a result of professional and business relationships and, therefore, not disclose any such information to third parties without proper and specific authority, unless there is a legal or professional right or duty to disclose, nor use the information for the personal advantage of the employee or third parties.

The principle of confidentiality includes the need to maintain the confidentiality of information within the Office of the Auditor General of Canada (OAG Audit 1192 Confidentiality, safe custody, integrity, accessibility, and retrievability of engagement documentation).

The disclosure of confidential information by the Office and its employees may be required or appropriate where such disclosure is

• permitted or authorized by the entity;
• required by law; or
• permitted or required by a professional right or duty, when not prohibited by law.

The Office’s mandate in the Auditor General Act with respect to reporting on its performance audits and the work of the Commissioner of the Environment and Sustainable Development is to report to Parliament; any ability the Office has to provide its reports to the public is incidental to its mandate to report to Parliament and follows reporting to Parliament. As an officer of Parliament, the Office reports directly to Parliament, which has the right to receive the reports before anyone else, according to the procedures set out in the Auditor General Act. Any other manner of reporting or releasing the information could be regarded by Parliament, or the House of Commons, as a breach of parliamentary privilege or as contempt of Parliament.

Understanding and fulfilling relevant ethical requirements

Auditors should have an understanding of the relevant ethical requirements, including those related to independence, to which the Office’s and the engagement are subject and to fulfill their responsibility in relation to those relevant ethical requirements. Various information, communication and resources help assist the engagement team in understanding and fulfilling relevant ethical requirements applicable to the nature and circumstances of the audit engagement.

• Communication of the independence requirements to engagement teams
• Training related to relevant ethical requirements
• Audit manual containing the provisions of the relevant ethical requirements and guidance on how they are applied in the nature and circumstances of the Office and its engagement
• Established policies and procedures requiring engagement team members to communicate instances of threat to independence and breach of the relevant ethical requirements
• Internal specialist, Values and Ethics, who provides consultation on matters related to relevant ethical requirements
• OAG Code of Values, Ethics and Professional Conduct. The OAG Code of Values, Ethics and Professional Conduct outlines the values and ethics that guide and support Office employees in their professional activities.  All individuals and entities performing work for or on behalf of the Office are required to accept and adhere to the values and behaviours outlined in the Code.
• Rules of professional conduct / code of ethics issued by the various professional accounting bodies. The rules of professional conduct and/or code of ethics applicable to the employee by virtue of his or her personal professional standing or membership in a professional accounting body in Canada comprise relevant independence and other ethical requirements and contain rules and guidance that are aimed at serving the public interest.  Where the rules / code in two or more jurisdictions conflict, the higher or stronger of the conflicting rules / codes is to be complied with, where possible.
• Self-declaration: Conflict of Interest Declaration form. As required under the OAG Code of Values, Ethics and Professional Conduct, Office employees filed the Conflict of Interest Declaration form at the start of employment with the Office, annually thereafter, and when there is any change in an employee’s situation.

Framework for resolving threats

Engagement team members promptly notify the engagement leader of circumstances and relationships that create threats to relevant ethical requirements.

If matters come to the engagement leader’s attention, through the system of quality management or otherwise, that indicate that a member of the engagement team has a threat to relevant ethical requirements that is other than insignificant, the engagement leader will propose a resolution by applying the framework below for resolving threats to their assurance engagement.

It is not possible to define every situation that creates a threat to compliance with the relevant ethical requirements. The nature of engagements and work assignments differs, with the result that different threats may be created, requiring the application of different safeguards.

As such, the Office expects engagement teams to apply the following framework when identifying, evaluating and resolving threats to compliance with relevant ethical requirements. This framework requires the Office and its employees to

• identify threats to compliance with relevant ethical requirements;
• evaluate the significance of the identified threats;
• apply safeguards, when necessary, to eliminate the threats or reduce them to an acceptable level; and
• document, as necessary, how the safeguards eliminate the threat or reduce it to an acceptable level.

OAG Audit 3031 Independence provides specific guidance related to resolving threats to independence.

Identifying threats to compliance with relevant ethical requirements. Threats to compliance with the relevant ethical requirements must be considered before and during an assurance engagement.

Threats may fall into one or more of the following categories:

• Self-interest. This threat occurs when the Office, or a person on the engagement team, could benefit directly or indirectly from an interest or relationship with an assurance entity, its directors, officers, and/or employees. Circumstances that may create a self-interest threat include

  (a) a member of the engagement team entering into employment negotiations with the entity,

  (b) a member of the engagement team owning securities in publicly traded companies and/or financial institutions that benefit significantly from the entity’s support or coverage,

  (c) a spouse or partner of a member of the engagement team having a contract or some other financial arrangement with an entity that confers a benefit, or

  (d) discovering a significant error when evaluating the results of a previous assurance engagement.

• Self-review. This threat occurs when any product or judgment from a previous engagement needs to be evaluated in reaching conclusions in the current engagement. Circumstances that may create a self-review threat include

  (a) a person on the engagement team who was recently an employee of the audited entity and is in a position to exert direct and significant influence over the subject matter and conduct of the engagement,

  (b) a member of the Office performing services for the audited entity that directly affect the subject matter of the audit, or

  (c) an employee of the Office preparing data that is used to generate financial statements or other records that are the subject of the audit.

• Advocacy. This threat occurs when the Office, or a person on the engagement team, promotes a position or opinion to the point that objectivity may be, or may be perceived to be, impaired. The circumstance that may create an advocacy threat is when

  (a) a person on the engagement team is a member of an organization that promotes a particular viewpoint with the intent of influencing government policy related to the public entity.

• Familiarity. This threat occurs when, by virtue of a close relationship with an entity, its directors, officers, or employees, the Office or a person on the engagement team becomes too sympathetic to the entity’s interests. Examples of circumstances that may create a familiarity threat include, but are not limited to:

  (a) a person on the engagement team having an immediate or close family member who is an officer or director of the entity;

  (b) a person on the engagement team having an immediate or close family member who is in a position to exert significant influence over the subject matter of the assurance engagement;

  (c) a former senior member of the Office being an officer or director of the entity or in a position to exert significant influence over the subject matter of the assurance engagement;

  (d) the long association of a senior person on the engagement team with the entity; and

  (e) the acceptance of gifts or hospitality from the entity, its directors, officers or employees, unless the value thereof is clearly insignificant.

OAG Audit 1071 Job rotation outlines the policies designed to mitigate the familiarity threat but also the self-review threat which is relevant for engagement quality reviewers. Also refer to OAG Audit 3031 Independence.

• Intimidation. This threat occurs when a person on the engagement team may be deterred from acting objectively and exercising professional skepticism by threats, actual or perceived, from the directors, officers, or employees of an audited entity. Circumstances that may create an intimidation threat include

  (a) an engagement team member being pressured inappropriately to reduce the extent of work to be performed, or

  (b) an engagement team member feeling pressured to agree with the judgment of an entity employee because the entity employee has more expertise on the matter in question.

When identifying threats to compliance with the relevant ethical requirements, care must be taken as threats are not always direct or overt and, in many cases, they can be quite subtle. Consideration should be given to the public perception of a threat. The “public perception” is that of a “reasonable observer, who has knowledge of the facts, which the auditor knew or ought to have known, and applies judgment with integrity and due care.” Often, the reasonable observer’s perception of a threat is most important and presents the most complexity in determining whether one is complying with the relevant ethical requirements.

The examples provided are intended to be illustrative and not all encompassing. In particular, the movement of personnel between the Office and audit entities, nature and extent of advice or assistance, length of involvement with particular entities, and personal relationships are all examples of circumstances that should be considered. If there are questions regarding the interpretation of these threats, employees should refer them to the responsible supervisor or engagement leader who, in turn, may direct questions regarding policy interpretation to the Internal Specialist, Values and Ethics.

Evaluating the significance of the threats identified. When a threat to the relevant ethical requirements is identified the engagement leader should evaluate its significance, in consultation with the Internal Specialist, Values and Ethics.

The nature of the threats and the applicable safeguards necessary to eliminate them or reduce them to an acceptable level will differ depending on the particulars of the engagement. Senior team members may need to evaluate the relevant circumstances in deciding whether it is appropriate to accept or continue an engagement, or whether a particular person should be on the engagement team.

In considering the significance of any particular matter, qualitative factors should be taken into account. A matter should be considered insignificant only if it is both trivial and inconsequential. Senior engagement personnel should exercise professional judgment in assessing the significance of a threat and in determining which available safeguard(s) to apply.

If the threat is other than insignificant, available safeguards should be identified and, where applicable, applied to eliminate the threat or reduce it to an acceptable level.

Applying safeguards to eliminate or reduce threats to an acceptable level. Determining whether appropriate safeguards are available and can be applied to eliminate the threats or reduce them to an acceptable level requires the exercise of professional judgment.

Where a threat to compliance with the relevant ethical requirements has been identified, or when in doubt, individuals should consult with senior team members or the Internal Specialist, Values and Ethics. The Internal Specialist, Values and Ethics, performs an objective review of the safeguards and actions proposed to eliminate or reduce a threat to relevant ethical requirements.

Safeguards are necessary when threats identified are at a level where a reasonable observer would likely conclude that compliance with the relevant ethical requirements may be compromised.

Senior team members, in consultation with the Internal Specialist, Values and Ethics, evaluate the significance of identified threats. If a threat is other than insignificant, the engagement leader identifies and applies available safeguards to eliminate or reduce the threat to an acceptable level.  The engagement leader promptly communicates with the Internal Specialist, Values and Ethics, who may identify instances where a threat has not been reduced to an appropriate level. The Internal Specialist, Values and Ethics, provides the engagement leader with confirmation that the proposed safeguards and actions were sufficient or that additional actions are required to reduce the threat to an acceptable level.

Safeguards fall into three broad categories:

• those created by the professional accounting bodies, legislation, or regulation;
• those existing within the assurance entity; and
• those existing within the Office’s own systems and practices, including:

  (a) office-wide policies and procedures, and

  (b) engagement-specific policies and procedures.

Safeguards created by the professional accounting bodies, legislation, or regulation include the following:

• education, training, and practical experience requirements for entry into the profession;
• continuing education programs;
• professional standards;
• external practice inspection;
• disciplinary processes;
• participation by members of the public in oversight and governance of the profession; and
• legislation governing the independence requirements of the Office and its employees.

Safeguards within the entity may include the following:

• employees of the entity who are competent to make management decisions,
• policies and procedures that emphasize the entity’s commitment to fair financial or other reporting;
• an active values and ethics program, and
• boards of directors or audit committees who are independent of entity’s management and who can satisfy themselves that the Office and its employees are independent in carrying out its mandate.

Safeguards within the Office’s systems and procedures include Office-wide safeguards such as the following:

• Office leadership that stresses the importance of independence and the expectation that individuals on engagement teams will act in the public interest;
• policies and procedures to implement and monitor quality management of assurance engagements;
• documented independence policies regarding the identification of threats to independence, the evaluation of their significance, and the identification and application of appropriate safeguards to eliminate or reduce the threats, to an acceptable level, other than those that are clearly insignificant;
• internal policies and procedures, including annual reporting by Office employees, to monitor compliance with Office policies and procedures as they relate to independence;
• policies and procedures that will enable the identification of interests or relationships between the Office or those on the engagement team and the entity;
• internal performance measures that do not put excessive pressure on engagement leaders and do not over-emphasize budgeted hours;
• timely communication of the Office’s policies and procedures, and any changes to them, to all Office employees, and appropriate training and education on them;
• designation of a member of the Office’s senior management team as responsible for overseeing the adequate functioning of the safeguarding system;
• a means of advising all Office employees of those entities and related entities from which they should be independent;
• an internal disciplinary mechanism to promote compliance with Office policies and procedures; and
• policies and procedures that empower Office employees to communicate, without fear of retaliation, to senior levels within the Office any issue regarding independence and objectivity that may concern them.

Safeguards within the Office’s systems and procedures include engagement-specific safeguards such as the following:

• involving another person to review the work done or advise as necessary. This person could be someone from outside the Office, or someone from within who was not otherwise associated with the engagement team. The person should be independent of the entity and will not, by reason of the review performed or advice given, be considered part of the engagement team;
• consulting a third party, such as a committee of independent directors, a professional regulatory body, or a professional colleague;
• rotating senior personnel on the engagement team;
• discussing independence issues with the board of directors or audit committee;
• implementing policies and procedures to ensure that individuals on the engagement team do not make, or assume responsibility for, management decisions for the entity;
• involving another firm to perform or re-perform part of the assurance engagement; and
• removing a person from the engagement team when that person’s financial interests, relationships, or activities create a threat to independence.

Familiarity threats should be assessed with reference to the guidance included in OAG Audit 1071 Job rotation, and independence threats should be addressed with reference to OAG Audit 3031 Independence.

Documenting, as necessary, threats to compliance with relevant ethical requirements. The engagement leader documents the substance of the issue and details of any discussions held or decisions made regarding a significant threat to relevant ethical requirements. In such instances, an Exception Report may be completed to record the actions taken to resolve the issue.

For each threat identified as other than insignificant, documentation should include a description of

• the nature of the engagement;
• the identified threat;
• the safeguard or safeguards identified and applied to eliminate the threat or reduce it to an acceptable level; and
• an explanation of how, in the engagement leader’s professional judgment, the safeguards eliminate the threat or reduce it to an acceptable level.

Exception reports that have been completed for the resolution of a threat to relevant ethical requirements are not filed in the audit file due to the personal nature of their content; they are given to Information and Data Management for filing purposes. The Internal Specialist, Values and Ethics, may help ensure that Information and Data Management receives a copy of documentation for filing purposes.

OAG Audit 3031 Independence provides a further description of the exception reporting process used for resolving threats to independence of engagement team members.

Breach of relevant ethical requirements

Engagement personnel promptly notifies the engagement leader of a breach of relevant ethical requirements.

If matters come to the engagement leader’s attention, through the system of quality management or otherwise, that indicate that a member of the engagement team is in breach of relevant ethical requirements, the engagement leader, in consultation with the Internal Specialist, Values and Ethics, will

• evaluate information on the identified breach,
• determine the impact of the breach on the assurance engagement, and
• determine the appropriate action to be taken.

The engagement leader documents, as necessary, the substance of the breach and details of any discussions held or decisions made regarding the breach. In such instances, an Exception Report may be completed to record the actions taken.

When a breach of an Independence rule has occurred, refer to the section OAG Audit 3031 Independence.

Taking appropriate action

Appropriate actions may include, for example:

• Following the Office's policies or procedures regarding breaches of relevant ethical requirements, including communicating to or consulting with the appropriate individuals so that appropriate action can be taken, including as applicable, disciplinary action(s).
• Communicating with those charged with governance.
• Communicating with regulatory authorities or professional bodies.
• Seeking legal advice.
• Withdrawing from the assurance engagement.