Annual Audit Manual
COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.
11002 Guiding Principles for Auditing Authorities
Jun-2019
In This Section
Overview
This section explains:
- The 7 guiding principles for auditing authorities
The 7 Guiding Principles
OAG Guidance
The guiding principles were developed to clarify the OAG’s expectations for auditing compliance with authorities. The principles summarize and clarify certain aspects of our methodology; however they are based on the existing methodology (policies, guidance and tools). The principles are to be used in conjunction with the policies and guidance of OAG Audit 11000 and the related procedures at B.4.PRG–Assess Risk and E.1.PRG–General Execution Procedures. Here are the 7 guiding principles for auditing authorities:
1. Auditors should scope key authority instruments into every financial audit regardless of whether or not our auditor’s report includes a separate opinion on compliance with authorities. (OAG Audit 11001)
Question: What’s the difference in how we audit entities for which compliance with authorities is included within our auditor’s report (e.g. consistent application of GAAP, compliance of transactions that come to our attention, proper books of account) versus those audits where the reporting responsibilities particular to the mandate do not require us to express an opinion on authorities?
Answer: There is no difference; in both, scoping or execution of these audits. Compliance with authorities is an integral part of our duties as legislative auditor of federal government institutions. As such, compliance with authorities should be scoped into all our annual audit work. We should focus our efforts on key authorities and may report instances of significant non-compliance in our reports even where the “reporting requirements” of a mandate do not specifically require an opinion within our auditor’s report. Below are the office’s views with respect to the form and content of our authorities reporting.
-
We opine on authorities when this is part of our mandate as directed by the FAA, Territorial FAA, Territorial Act, enabling legislation of the entity, other statute, order in council, etc.
-
When such a requirement exists, the form and content of the authorities paragraph is based on the legislation that outlines our mandate, AuG-48 and AuG-49.
-
Notwithstanding a legislative mandate to opine on compliance with authorities, we examine compliance with authorities in every financial audit we perform per our audit methodology.
-
We will report significant non-compliance with authorities in our auditor’s report even when our auditor’s report form was not directed to include such content.
2. In order to scope “important provisions” of the “key authority instruments” we consider whether an instance of non-compliance would be worthy of reporting or presents a risk to the office’s reputation if not detected.
When performing risk assessment procedures required in CAS 315 and further discussed in OAG Audit 5000, auditors take into account the broader objective and mandate of the Auditor General to call attention to anything that he considers to be of significance and of a nature that should be brought to the attention of the Parliament. Significant non-compliance with authorities is a matter that should be reported.
We conduct authorities work to address the risk that the entity has not complied with the authorities that govern its activities. Our risk as legislative auditor is that we fail to report significant non-compliance with key legislative authorities when the importance and impact of the non-compliance would require us to inform the Parliament through audit report.
Authorities governing the federal entities we audit may be various and from different sources. They include
-
legislative authorities which are high-level authorities legislated by Parliament and that govern public sector entities, and
-
financial and management authorities which deal with the day to day stewardship and control issues within public sector entities.
An effective and efficient audit on compliance with legislative authorities focus on key authorities instruments and requirements.
What are the “Key Authorities Instruments”?
-
For Crown corporations, Part X of the FAA and its regulations, the Crown corporation’s enabling legislation, its by-laws and directives under section 89 of the FAA. Our annual audit mandate requires an opinion on compliance with these authorities.
-
For other entities (e.g. agencies, departmental corporations, boards or commissions, etc.) applicable legislation or by-laws.
-
For the public accounts, primarily the FAA and its regulations and those aspects of the entity’s enabling legislation, program legislation, and related regulations.
The “important provisions” of the key authorities instruments, keep in mind the concept of provisions for which an instance of non-compliance would be worthy of reporting or present a risk to the office’s reputation if not detected.
Therefore, it is critical that the auditor fully understand the authority framework governing the entity, the audit mandate, and the transactions subject to audit. Otherwise, there is a risk the audit procedures will not be tailored to the specific requirements for auditing compliance with authorities or will be inappropriately executed.
3. Identifying key authority instruments and important provisions of the engagement requires professional judgement. However, for consistency certain provisions of pervasive authority instruments such as the FAA and CBCA have been prescribed as “important provisions” and wherever applicable are in scope (i.e. should be tested).
Auditors should apply professional judgement when scoping the key authority instruments meaning, provisions should be considered important where an instance of noncompliance would be “. . . worthy of reporting or presents a risk to the office’s reputation if not detected.”
Due to the pervasive relevance of the FAA and CBCA and to ensure consistency across the practice the office has identified the important provisions which are to be considered “in-scope where relevant” for these 2 pieces of legislation. This means if provisions included within the FAA or CBCA tabs of the procedure "Compliance with Authorities" within the program "General Execution Procedures" is relevant and significant to the circumstances of the engagement it is deemed to be “in-scope” and the auditor designs audit procedures.
So wherever a provision within these tab are relevant and significant to the circumstance of the audit, irrespective of the assessed level of inherent risk the OAG’s expectation is the provision will be audited. A “normal” inherent risk assessment is not sufficient reason to de-scope the provision.
4. For all important provisions regardless of our reporting requirements, the auditor shall design procedures to support a conclusion concerning compliance.
We design our audit approach based on the results of our authority scoping for important provisions not on the reporting requirements. We then assess risk to determine our “desired level of evidence” and apply our understanding of the entity to ensure we design appropriate procedures.
5. The auditor’s risk assessment for a provision will affect the desired level of evidence and therefore the nature, timing and extent of audit effort.
The auditor designs procedures to achieve a desired level of evidence consistent with their risk assessment; however, a provision identified as important / “in-scope” may not be de-scoped due to the assessed level of risk. The auditor’s risk assessment determines the desired level of evidence which along with the auditor’s understanding of the entity and it relate business processes directly impact the audit strategy and testing to be performed.
6. For authorities testing, no SUM de minimis or similar $ threshold is established for exceptions.
All potential cases of reportable non-compliance with authorities should be referred to the engagement leader for assessment and resolution. Such situations often involve legal interpretation of the relevant facts of the case, and will normally require consultation with the Internal Specialist—Compliance with Authorities and Legal Services.
Non-compliance with authorities is considered significant and reportable where there is a serious deviation from legislative and other authorities with respect to purpose, monetary limits, and other restraints.
7. The impact of non-compliance on our audit report is a matter requiring professional judgement and involvement of the engagement leader.
Although compliance is normally a yes-or-no situation, the auditor has to assess the significance of the non-compliance situation identified and the attitude of the entity, as not all instances of non-compliance will necessarily be reported. See OAG Audit 11014 for the factors to consider when evaluating the significance of a non-compliance situation.