Annual Audit Manual

COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.

2041 Data auditing (Using detailed electronic entity data and data analysis tools in audit procedures)
Sep-2022

In This Section

Introduction

Background and relevance

Understand the business, assess risk and determine audit strategy

Respond to risk and gather evidence

Communicate with management and those charged with governance

Use of available tools and engaging specialists

Introduction

OAG Guidance

Data auditing may provide a means of analyzing large volumes of detailed electronic entity data in a manner not easily achievable through manual procedures.

Various tools are currently available that better utilize existing entity data in the performance of auditing procedures. These tools encompass various functionalities including but not limited to:

  • Extracting data from the entity’s system
  • Performing data validation routines
  • Categorizing data by attributes
  • Reperforming calculations
  • Developing data visualizations and analysis

The use of detailed electronic entity data in audit procedures may enhance the effectiveness and efficiency of our audits when such data is readily available and conducive to efficient electronic analysis. Other situations where the use of detailed electronic data can be very beneficial include when there are computations done by the system with high audit risk, computations done by a system that is known to be error prone, computations done by a newly implemented system, and when functionality of the systems includes extensive interfacing between systems.

Engagement teams need to consider the availability and use of detailed electronic data in the entire audit process during engagement planning.

Background and relevance

OAG Guidance

Entity environments have been rapidly digitized in the last decade. As both software and hardware technology have advanced, detailed electronic data has become easier and more efficient to obtain and analyze than in the past. Affordable massive storage media, as well as common data protocols, such as Extended Business Reporting Language (XBRL), further increase the availability and usability of detailed electronic data. We might consider ways to make intelligent use of this data in our audit procedures.

The availability and analysis of detailed electronic entity data may give engagement teams the opportunity to obtain a deeper understanding of the entity’s processes, transactions and risks during planning, as well as contribute to our evidence gathering activities. This can improve audit quality by enabling a better insight into risks of misstatement inherent in account balances and transactions or by improving the effectiveness and efficiency of certain audit procedures.

The types of detailed electronic entity data that might be useful to our audits are wide ranging and may include items such as general ledger detail, sub‑ledger detail, trial balance detail, journal entries, master data tables, historical transactional data, etc. The use of detailed electronic entity data in audit procedures will vary depending on individual entity circumstances and the purpose of using such data (e.g., whether the data is a target of our audit procedures versus a source of evidence in our procedures). The quality and availability of the data, our ability to access it and analyze it efficiently, as well as the effort required to determine its reliability, are all relevant considerations in determining whether to use detailed electronic entity data in lieu of or addition to other sources of data or evidence.

When utilizing detailed electronic data together with data analysis tools, we need to understand both the data and the tool being utilized and their impact on the audit strategy and plan. For example, consider if the tool helps us to obtain an understanding of the entity and/or to perform risk assessment procedures, (e.g. through the analysis of data which may include visualizations) or whether the tool supports the performance of tests of controls or substantive procedures.

When using tools to obtain audit evidence we need to perform procedures to validate the reliability of the underlying information. See OAG Audit 4028.4 for some examples on report testing with and without ITGC reliance.

Analysis of detailed electronic entity data may be useful in a variety of audit procedures performed in the following phases of the Audit:

  • Identifying and Assessing the Risks of Material Misstatement

    • Understand the entity and its environment, and the applicable financial reporting framework and the entity’s system of internal control
    • Risk Assessment Analytics
    • Identify and assess risks of material misstatement

  • Respond to Risk and Gather Evidence

    • Journal entry testing
    • Substantive (CAAT) testing
    • Controls testing
    • Fraud detection

  • Communicate with Management / Those Charged With Governance

    • Communicating audit findings
    • Value added communications

See OAG Audit 2042 for examples and further considerations for using detailed electronic entity data in each of these audit phases.

The blocks below further explain how using detailed electronic data helps us address the related CAS requirements in a more efficient manner, summarizing the key considerations relevant to different phases of the audit.

Understand the business, assess risk and determine audit strategy

CAS Objective

The objective of the auditor is to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement (CAS 315.11).

CAS Requirement

The auditor shall obtain an understanding of the entity’s information system and communication relevant to the preparation of the financial statements, through performing risk assessment procedures, by (CAS 315.25):

(a) Understanding the entity’s information processing activities, including its data and information, the resources to be used in such activities and the policies that define, for significant classes of transactions, account balances and disclosures:

(i)  How information flows through the entity’s information system, including how:

a.   Transactions are initiated, and  how information about them is recorded, processed, corrected as necessary, incorporated in the general ledger and reported in the financial statements; and

b.   Information about events and conditions, other than transactions, is captured, processed and disclosed in the financial statements;

(ii) The accounting records, specific accounts in the financial statements and other supporting records relating to the flows of information in the information system;

(iii) The financial reporting process used to prepare the entity’s financial statements, including disclosures; and

(iv) The entity’s resources, including the IT environment, relevant to (a)(i) to (a)(iii) above;

(b) Understanding how the entity communicates significant matters that support the preparation of the financial statements and related reporting responsibilities in the information system and other components of the system of internal control:

(i)  Between people within the entity, including how financial reporting roles and responsibilities are communicated;

(ii) Between management and those charged with governance; and

(iii) With external parties, such as those with regulatory authorities; and;

(c)  Evaluating whether the entity’s information system and communication appropriately support the preparation of the entity’s financial statements in accordance with the applicable financial reporting framework.

OAG Guidance

Financial statements are the result of business activities and transactions within business processes. The entity has controls to mitigate risks within these processes and management uses certain of these controls to monitor the business activities. The use of electronic data may facilitate the risk assessment analytics as part of the risk assessment procedures (CAS 315.14b and A27‑31).

When evaluating the entity’s information system and communication, detailed electronic data may provide insight about the entity’s information systems relevant to financial reporting as required in CAS 315.25. Analyzing detailed electronic entity data may help to corroborate our understanding of the entity’s information systems or to identify anomalous data attributes.

Journal entries are the ultimate output of financial processes and transactions. Double entry bookkeeping ensures that these entries balance. This provides the basis for a top‑down approach to understanding the relationship of journal entries and detailed financial transactions. A data analysis of this relationship can help us gain a deeper understanding of the entity’s processes and therefore the related controls. See OAG Audit 2042 for further details.

The outcome of the risk assessment procedures and related activities is identified and assessed risks of material misstatement (CAS 315.38). We develop an audit strategy and audit plan to mitigate these risks, and we use professional judgment in selecting the appropriate audit procedures, including the decision to rely on internal controls and/or substantive testing procedures. This decision depends on the effectiveness and efficiency of the procedures. Therefore, the availability of detailed electronic data may affect the nature and extent of further audit procedures as outlined below and detailed in OAG Audit 2042.

Finally, through use of electronic data, we may be able to efficiently perform substantive procedures concurrently with risk assessment procedures because it is efficient to do so. (CAS 315.A19)

Respond to risk and gather evidence

CAS Guidance

The use of computer-assisted audit techniques (CAATs) may enable more extensive testing of electronic transactions and account files, which may be useful when the auditor decides to modify the extent of testing, for example, in responding to the risks of material misstatement due to fraud. Such techniques can be used to select sample transactions from key electronic files, to sort transactions with specific characteristics, or to test an entire population instead of a sample (CAS 330.A16).

OAG Guidance

As explained in OAG Audit 7591, CAATs can be used to make the audit more effective and efficient by:

  • Automating an existing audit test that is being performed manually, such as testing the mathematical accuracy of a report

  • Performing tests that are not feasible to perform manually, e.g., the review of sales transactions for large and/or unusual items for a large entity whereby the number of transactions to be reviewed would be prohibitive from a time perspective to perform manually

CAATs can not only help us to efficiently review all transactions, but they may also do so more effectively. From an efficiency perspective, our internal studies have shown that CAATs may provide considerable savings over a several year period compared with performing the same test using a manual approach.

CAATs can also be helpful in other ways when gathering evidence. For example:

  • The electronic analysis of full populations of data versus mere sampling increases the likelihood that anomalous transactions or events that may have resulted from breakdowns in control would be detected by our audit procedures. In a situation where there is a control deficiency whereby unauthorized access could be granted to the modules in the system, data analytics could help identify whether any unauthorized transaction was actually made.

  • Data analysis could also be used to test and verify important reports or data used by management, such as aging of accounts receivable, inventory aging and turnover, gross profit reports, etc.

Communicate with management and those charged with governance

CAS Requirement

The auditor shall communicate with those charged with governance (CAS 260.16):

(a) The auditor’s views about significant qualitative aspects of the entity’s accounting practices, including accounting policies, accounting estimates and financial statement disclosures. When applicable, the auditor shall explain to those charged with governance why the auditor considers a significant accounting practice, that is acceptable under the applicable financial reporting framework, not to be most appropriate to the particular circumstances of the entity;

(b) Significant difficulties, if any, encountered during the audit;

(c) Unless all of those charged with governance are involved in managing the entity:

(i)  Significant matters arising during the audit that were discussed, or subject to correspondence, with management; and

(ii)  Written representations the auditor is requesting;

(d)  Circumstances that affect the form and content of the auditor’s report, if any; and

(e) Any other significant matters arising during the audit that, in the auditor’s professional judgment, are relevant to the oversight of the financial reporting process.

The auditor shall also communicate to management at an appropriate level of responsibility on a timely basis (CAS 265.10):

(a)  In writing, significant deficiencies in internal control that the auditor has communicated or intends to communicate to those charged with governance, unless it would be inappropriate to communicate directly to management in the circumstances; and

(b)  Other deficiencies in internal control identified during the audit that have not been communicated to management by other parties and that, in the auditor’s professional judgment, are of sufficient importance to merit management’s attention.

OAG Guidance

Our findings during the audit when using detailed electronic entity data may not only contribute to compliance with the CAS requirements, but also the value proposition to the entity. This may be as a result of the data enhancing our understanding and impact of significant audit findings, as well as other observations that are a result of data analysis performed during our audit process.

Observations are more compelling when supported by robust data. For example, the significance of a deficiency in the control designed to prevent users from processing manual journal entries without proper approval is more impactful if it is also noted that 25 percent of manual journal entries during the period were not properly approved.

Use of available tools and engaging specialists

OAG Guidance

The following data analysis tool is currently available as a service to engagement teams:

  • CAAT for Journals.

Specific additional data analysis tools may be available and could be leveraged when using data during the audit. Consider consulting Data Analytics, who may be aware of such tools and may assist you with using data, to help, improve effectiveness and/or efficiency of our audits.