Annual Audit Manual
COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.
11012 Identify and assess risks of non-compliance with authorities
Jun-2019
In This Section
Risk of non‑compliance and audit risk
Identify and assess risk of non‑compliance
Overview
This topic explains:
- What are the risk of non‑compliance with authorities and related audit risk.
- The risk assessment of non‑compliance with authorities.
- The risk assessment procedures and documentation in the audit file.
- The OAG Policy regarding the risk assessment for non‑compliance.
OAG Guidance
When performing risk assessment procedures required in CAS 315 and further discussed in OAG Audit 5000, auditors take into account the broader objective and mandate of the Auditor General to call attention to anything that he considers to be of significance and of a nature that should be brought to the attention of the Parliament. Significant non‑compliance with authorities is a matter that should be reported.
We conduct authorities work to address the risk that the entity has not complied with the authorities that govern its activities. Our risk as legislative auditor is that we fail to report significant non‑compliance with key legislative authorities when the importance and impact of the non‑compliance would require us to inform the Parliament through audit report.
Authorities governing the federal entities we audit may be various and from different sources. They include:
- legislative authorities which are high-level authorities legislated by Parliament and that govern public sector entities; and
- financial and management authorities which deal with the day to day stewardship and control issues within public sector entities.
An effective and efficient audit on compliance with legislative authorities focus on key authorities instruments and requirements. That is:
- For Crown corporations, Part X of the FAA and its regulations, the Crown’s enabling legislation, its by‑laws and directives under section 89 of the FAA. Our annual audit mandate requires an opinion on compliance with these authorities.
- For other entities (e.g. agencies, departmental corporations, boards or commissions, etc.) any enabling legislation or by‑laws.
- For the public accounts, primarily the FAA and its regulations and those aspects of the entity’s enabling legislation, program legislation, and related regulations.
It is critical that the auditor fully understand the authority framework governing the entity, the audit mandate, and the transactions subject to audit. Otherwise, there is a risk that the audit procedures will not be tailored to the specific requirements for auditing compliance with authorities or will be inappropriately executed.
CAS Requirement
The auditor shall design and perform risk assessment procedures to obtain audit evidence that provides an appropriate basis for: (CAS 315.13)
(a) The identification and assessment of risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels; and
(b) The design of further audit procedures in accordance with CAS 330.
The auditor shall design and perform risk assessment procedures in a manner that is not biased towards obtaining audit evidence that may be corroborative or towards excluding audit evidence that may be contradictory.
The auditor shall perform risk assessment procedures to obtain an understanding of (CAS 315.19):
(a) The following aspects of the entity and its environment:
(i) The entity’s organizational structure, ownership and governance, and its business model, including the extent to which the business model integrates the use of IT;
(ii) Industry, regulatory and other external factors; and
(iii) The measures used, internally and externally, to assess the entity’s financial performance;
CAS Guidance
Relevant regulatory factors include the regulatory environment. The regulatory environment encompasses, among other matters, the applicable financial reporting framework and the legal and political environment and any changes thereto. Matters the auditor may consider include (CAS 315.A70):
- Regulatory framework for a regulated industry, for example, prudential requirements, including related disclosures.
- Legislation and regulation that significantly affect the entity’s operations, for example, labor laws and regulations.
- Taxation legislation and regulations.
- Government policies currently affecting the conduct of the entity’s business, such as monetary, including foreign exchange controls, fiscal, financial incentives (for example, government aid programs), and tariffs or trade restriction policies.
- Environmental requirements affecting the industry and the entity’s business.
CAS 250 includes some specific requirements related to the legal and regulatory framework applicable to the entity and the industry or sector in which the entity operates (CAS 315.A71).
For the audits of public sector entities, there may be particular laws or regulations that affect the entity’s operations. Such elements may be an essential consideration when obtaining an understanding of the entity and its environment (CAS 315.A72).
In exercising professional judgment as to the assessment of the risk of material misstatement, public sector auditors may consider the complexity of the regulations and directives, and the risks of non‑compliance with authorities (CAS 315.A217).
OAG Guidance
Public Accounts of Canada
Each year the “Central Team,” the OAG Audit team responsible for the audit of the Summary financial statements of the Government of Canada (Public Accounts), assesses the risk of non‑compliance with authorities at the government level and determines the key authorities departmental audit teams should focus on. The Central Team gives its annual instructions in two main documents:
1) Public Accounts—Instructions to Component Audit Teams
2) Public Accounts—Specific audit procedures Guidance
Entity audit teams (OAG audit teams responsible for the audit of a Department or other entities) are expected to create their own inventory of financial authority risk factors based on their entity’s enabling legislation and any related regulations. Entity engagement leaders are responsible for determining the risks they believe are significant to their entity. This process involves a risk analysis and an assessment of the potential for non‑compliance. Based on this work, the entity engagement leader selects additional authorities for examination on a rotational basis.
Entity teams should complete a review of the results of any audit work performed by the internal audit department that touches on compliance with authorities. The entity teams will then design a detailed audit program, and after discussion with the Central Team, perform the associated audit work required and report on the results.
To ensure appropriate assessment of compliance with the scope and limit of the vote, an authority component should also be included in any spending, borrowing, or revenue transaction selected for substantive verification. The objective here is to determine whether the transaction met the intended purpose of the underlying authority. Where there is reliance on internal financial controls for purposes of the audit, components dealing with compliance with authority should be included in the tests of relevant controls.
Crown Corporations and Other Entities
In developing the strategic direction, an assessment should be made of the risk of significant non‑compliance with the identified governing authorities. A number of factors must be considered in this assessment, including knowledge of the entity, past audit experience, and management’s attitude towards compliance. It is important to involve senior members of the audit team in making these judgments. For new or amended authorities, the engagement leader should consult with entity management to obtain a clear understanding of the implications to the entity and, correspondingly, to the audit approach.
The auditor should keep in mind the compliance with authorities aspects of the audit throughout the various phases of the audit. Accordingly, the auditor would consider the implications on compliance auditing in doing such things as gathering information on client accounting and information systems, assessing the control environment, developing detailed audit programs, and assessing audit results. To the extent practicable, procedures for assessing compliance with authorities should be integrated with the audit procedures of the related financial statement component(s) or FSLI.
Some legislative requirements of the FAA and other authorities are not necessarily related to individual FSLIs. For example, provisions relating to the need to have corporate plans and budgets, an internal audit function, and so on do not directly affect the financial statements. Specific audit procedures may need to be applied as part of auditing these elements of compliance with authority.
Another important point is that the significance and/or risk associated with a particular authority can be quite different from that of a related financial statement assertion(s) for the same component. Consequently, there may be lesser or greater testing requirements for authorities than for financial statement assertions. For example, an entity’s short-term investment program may be considered low risk for financial statement purposes, but there could be concerns that the corporate by‑law governing the investing activities is not being complied with.
OAG Guidance
Risk assessment procedures for compliance with authorities are integrated with the risk assessment procedures of material misstatements in the financial statements and include:
- Inquiries of management and of others within the entity;
- Analytical procedures; or
- Observation and inspection
Therefore, the auditor should always consider the authority’s aspects when performing inquiries of management and of others within the entity, analytical procedures (for ex. comparison between the approved budget, the parliamentary appropriation and forecast expenses) and inspection of documents such as the Corporate Plan, forecasted of expenses, minutes of Board’s meeting etc.
In addition, as part of the risk assessment procedures, the auditor:
- Understand the authority framework governing the entity and the transactions subject to audit.
- Identify new or amended authorities instruments since the prior audit, and more specifically new or amended legislative authorities. In some cases, discussions with management and the entity’s legal services as well as with OAG Legal Services may be needed to ensure we clearly understand the implications of these new or amended authorities and their application to the entity audited and to our audit approach.
- Review copies of relevant authority instruments to identify significant authority provisions. Significant provisions may be seen as a function of the implication of the provision to the operations of the entity as well as the risk that the entity may not be able to meet the requirements of the provision.
The following factors may be considered when assessing the significance of a provision:
- Dollar materiality of the transaction(s)—significantly less or greater than materiality.
- Public or Parliamentary sensitivity—for example sensitive matters such as Executive and Board compensation and travel and hospitality expenses.
- Directness of the requirement—general requirement or requirement specific to the entity.
- Hierarchy of the requirement—matters internal to the government or the entity (e.g. Treasury Board policy, by‑law) or statutory requirement.
- Potential impact of non‑compliance on the entity’s performance—little or major potential impact.
- Pervasiveness of non‑compliance—isolated transaction or systemic issue.
- Entity attitude—whether compliance with authorities is promoted and corrective action taken or entity considers there is no problem.
- Clearness of non‑compliance—possibility of interpretation or non‑compliance is clear.
- Government-wide effects—whether the non‑compliance affects only one entity or many entities, central agencies or Parliament (possible other matter) and, particularly, whether the non‑compliance relates to an erosion of parliamentary controls.
Note that the same factors are used when assessing the significance of an identified non‑compliance and making reporting decisions.
Auditors of Crown corporations may use the following templates attached to the “Compliance with Authorities” procedure document to assist them in identifying the significant authority provisions or issues and document the risk assessment of non‑compliance:
- Financial Administration Act and Regulations
- Canada Business Corporations Act
- Specific Authority for other key authorities’ instruments relevant to the corporation, such as the enabling legislation, regulations and by‑laws.
Auditors document the risk assessment of non‑compliance with authorities in the procedure “Compliance with authorities”.
Significant risks are reported in the Audit planning Template and appropriate audit procedures are designed in response to the identified risks.
The engagement leader shall ensure that the audit team designs an effective and efficient approach to auditing compliance with authorities, and that the approach is based on an assessment of significance and risk. [Oct-2012]
OAG Guidance
Building on the information gathered during the audit risk assessment, the engagement leader should ensure that:
- the relevant authority requirements have been identified;
- the authority requirements have been reviewed and significant risk identified; and
- the audit approach, including any specific procedures considered necessary for providing sufficient, appropriate audit evidence in relation to these significant authorities, has been included in the tailored audit programs for the relevant components to address compliance with authorities issues.
Related Guidance
Planning Activities—OAG Audit 4000
Identify and Assess Audit Risks of Material Misstatement—OAG Audit 5000
Fraud—OAG Audit 5500