11012 Identify and assess risks of non-compliance with authorities

Jun-2019

OAG Guidance

When performing risk assessment procedures required in CAS 315 and further discussed in OAG Audit 5000, auditors take into account the broader objective and mandate of the Auditor General to call attention to anything that he considers to be of significance and of a nature that should be brought to the attention of the Parliament. Significant non‑compliance with authorities is a matter that should be reported.

We conduct authorities work to address the risk that the entity has not complied with the authorities that govern its activities. Our risk as legislative auditor is that we fail to report significant non‑compliance with key legislative authorities when the importance and impact of the non‑compliance would require us to inform the Parliament through audit report.

Authorities governing the federal entities we audit may be various and from different sources. They include:

• legislative authorities which are high-level authorities legislated by Parliament and that govern public sector entities; and
• financial and management authorities which deal with the day to day stewardship and control issues within public sector entities.

An effective and efficient audit on compliance with legislative authorities focus on key authorities instruments and requirements. That is:

• For Crown corporations, Part X of the FAA and its regulations, the Crown’s enabling legislation, its by‑laws and directives under section 89 of the FAA. Our annual audit mandate requires an opinion on compliance with these authorities.
• For other entities (e.g. agencies, departmental corporations, boards or commissions, etc.) any enabling legislation or by‑laws.
• For the public accounts, primarily the FAA and its regulations and those aspects of the entity’s enabling legislation, program legislation, and related regulations.

It is critical that the auditor fully understand the authority framework governing the entity, the audit mandate, and the transactions subject to audit. Otherwise, there is a risk that the audit procedures will not be tailored to the specific requirements for auditing compliance with authorities or will be inappropriately executed.

OAG Guidance

Public Accounts of Canada

Each year the “Central Team,” the OAG Audit team responsible for the audit of the Summary financial statements of the Government of Canada (Public Accounts), assesses the risk of non‑compliance with authorities at the government level and determines the key authorities departmental audit teams should focus on. The Central Team gives its annual instructions in two main documents:

1) Public Accounts—Instructions to Component Audit Teams

2) Public Accounts—Specific audit procedures Guidance

Entity audit teams (OAG audit teams responsible for the audit of a Department or other entities) are expected to create their own inventory of financial authority risk factors based on their entity’s enabling legislation and any related regulations. Entity engagement leaders are responsible for determining the risks they believe are significant to their entity. This process involves a risk analysis and an assessment of the potential for non‑compliance. Based on this work, the entity engagement leader selects additional authorities for examination on a rotational basis.

Entity teams should complete a review of the results of any audit work performed by the internal audit department that touches on compliance with authorities. The entity teams will then design a detailed audit program, and after discussion with the Central Team, perform the associated audit work required and report on the results.

To ensure appropriate assessment of compliance with the scope and limit of the vote, an authority component should also be included in any spending, borrowing, or revenue transaction selected for substantive verification. The objective here is to determine whether the transaction met the intended purpose of the underlying authority. Where there is reliance on internal financial controls for purposes of the audit, components dealing with compliance with authority should be included in the tests of relevant controls.

Crown Corporations and Other Entities

In developing the strategic direction, an assessment should be made of the risk of significant non‑compliance with the identified governing authorities. A number of factors must be considered in this assessment, including knowledge of the entity, past audit experience, and management’s attitude towards compliance. It is important to involve senior members of the audit team in making these judgments. For new or amended authorities, the engagement leader should consult with entity management to obtain a clear understanding of the implications to the entity and, correspondingly, to the audit approach.

The auditor should keep in mind the compliance with authorities aspects of the audit throughout the various phases of the audit. Accordingly, the auditor would consider the implications on compliance auditing in doing such things as gathering information on client accounting and information systems, assessing the control environment, developing detailed audit programs, and assessing audit results. To the extent practicable, procedures for assessing compliance with authorities should be integrated with the audit procedures of the related financial statement component(s) or FSLI.

Some legislative requirements of the FAA and other authorities are not necessarily related to individual FSLIs. For example, provisions relating to the need to have corporate plans and budgets, an internal audit function, and so on do not directly affect the financial statements. Specific audit procedures may need to be applied as part of auditing these elements of compliance with authority.

Another important point is that the significance and/or risk associated with a particular authority can be quite different from that of a related financial statement assertion(s) for the same component. Consequently, there may be lesser or greater testing requirements for authorities than for financial statement assertions. For example, an entity’s short-term investment program may be considered low risk for financial statement purposes, but there could be concerns that the corporate by‑law governing the investing activities is not being complied with.

OAG Guidance

Risk assessment procedures for compliance with authorities are integrated with the risk assessment procedures of material misstatements in the financial statements and include:

• Inquiries of management and of others within the entity;
• Analytical procedures; or
• Observation and inspection

Therefore, the auditor should always consider the authority’s aspects when performing inquiries of management and of others within the entity, analytical procedures (for ex. comparison between the approved budget, the parliamentary appropriation and forecast expenses) and inspection of documents such as the Corporate Plan, forecasted of expenses, minutes of Board’s meeting etc.

In addition, as part of the risk assessment procedures, the auditor:

• Understand the authority framework governing the entity and the transactions subject to audit.
• Identify new or amended authorities instruments since the prior audit, and more specifically new or amended legislative authorities. In some cases, discussions with management and the entity’s legal services as well as with OAG Legal Services may be needed to ensure we clearly understand the implications of these new or amended authorities and their application to the entity audited and to our audit approach.
• Review copies of relevant authority instruments to identify significant authority provisions. Significant provisions may be seen as a function of the implication of the provision to the operations of the entity as well as the risk that the entity may not be able to meet the requirements of the provision.

The following factors may be considered when assessing the significance of a provision:

• Dollar materiality of the transaction(s)—significantly less or greater than materiality.
• Public or Parliamentary sensitivity—for example sensitive matters such as Executive and Board compensation and travel and hospitality expenses.
• Directness of the requirement—general requirement or requirement specific to the entity.
• Hierarchy of the requirement—matters internal to the government or the entity (e.g. Treasury Board policy, by‑law) or statutory requirement.
• Potential impact of non‑compliance on the entity’s performance—little or major potential impact.
• Pervasiveness of non‑compliance—isolated transaction or systemic issue.
• Entity attitude—whether compliance with authorities is promoted and corrective action taken or entity considers there is no problem.
• Clearness of non‑compliance—possibility of interpretation or non‑compliance is clear.
• Government-wide effects—whether the non‑compliance affects only one entity or many entities, central agencies or Parliament (possible other matter) and, particularly, whether the non‑compliance relates to an erosion of parliamentary controls.

Note that the same factors are used when assessing the significance of an identified non‑compliance and making reporting decisions.

Auditors of Crown corporations may use the following templates attached to the “Compliance with Authorities” procedure document to assist them in identifying the significant authority provisions or issues and document the risk assessment of non‑compliance:

• Financial Administration Act and Regulations
• Canada Business Corporations Act
• Specific Authority for other key authorities’ instruments relevant to the corporation, such as the enabling legislation, regulations and by‑laws.

Auditors document the risk assessment of non‑compliance with authorities in the procedure “Compliance with authorities”.

Significant risks are reported in the Audit planning Template and appropriate audit procedures are designed in response to the identified risks.

OAG Guidance

Building on the information gathered during the audit risk assessment, the engagement leader should ensure that:

• the relevant authority requirements have been identified;
• the authority requirements have been reviewed and significant risk identified; and
• the audit approach, including any specific procedures considered necessary for providing sufficient, appropriate audit evidence in relation to these significant authorities, has been included in the tailored audit programs for the relevant components to address compliance with authorities issues.

Related Guidance

Planning Activities—OAG Audit 4000

Identify and Assess Audit Risks of Material Misstatement—OAG Audit 5000

Fraud—OAG Audit 5500