Annual Audit Manual

COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.

2331 Obtaining an understanding of the group, its components, and their environments as part of our risk assessment procedures
Sep-2022

In This Section

The group engagement team’s understanding

Sufficiency of the group engagement team’s understanding

Other regulatory requirements

Understanding group management’s reporting instructions

The group engagement team’s understanding

CAS Requirement

The auditor is required to identify and assess the risks of material misstatement through obtaining an understanding of the entity and its environment, the applicable financial reporting framework and the system of internal control. The group engagement team shall (CAS 600.17):

(a)   enhance its understanding of the group, its components, and their environments, including group‑wide controls, obtained during the acceptance or continuance stage; and

(b)   obtain an understanding of the consolidation process, including the instructions issued by group management to components.

CAS Guidance

CAS 315 contains guidance on matters the auditor may consider when obtaining an understanding of the industry, regulatory, and other external factors that affect the entity, including the applicable financial reporting framework; the nature of the entity; objectives and strategies and related business risks; and measurement and review of the entity’s financial performance. Appendix 2 of this CAS contains guidance on matters specific to a group, including the consolidation process (CAS 600.A23).

The examples provided cover a broad range of matters; however, not all matters are relevant to every group audit engagement and the list of examples is not necessarily complete (CAS 600 Appendix 2).

Group-Wide Controls

  1. Group-wide controls may include a combination of the following:

    • Regular meetings between group and component management to discuss business developments and to review performance.

    • Monitoring of components’ operations and their financial results, including regular reporting routines, which enables group management to monitor components’ performance against budgets, and to take appropriate action.

    • Group management’s risk assessment process, that is, the process for identifying, analyzing and managing business risks, including the risk of fraud, that may result in material misstatement of the group financial statements.

    • Monitoring, controlling, reconciling, and eliminating intra‑group transactions and unrealized profits, and intra‑group account balances at group level.

    • A process for monitoring the timeliness and assessing the accuracy and completeness of financial information received from components.

    • A central IT system controlled by the same general IT controls for all or part of the group.

    • Controls within an IT system that is common for all or some components.

    • Controls within the group’s process to monitor the system of internal control, including activities of the internal audit function and self‑assessment programs.

    • Consistent policies and procedures, including a group financial reporting procedures manual.

    • Group-wide programs, such as codes of conduct and fraud prevention programs.

    • Arrangements for assigning authority and responsibility to component management.

  2. The internal audit function may be regarded as part of group‑wide controls, for example, when the function is centralized. CAS 610 deals with the group engagement team’s evaluation of whether the internal audit function’s organizational status and relevant policies and procedures adequately support the objectivity of internal auditors, the level of competence of the internal audit function, and whether the function applies a systematic and disciplined approach where the group engagement team expects to use the function’s work.

Consolidation Process

  1. The group engagement team’s understanding of the consolidation process may include matters such as the following:

Matters relating to the applicable financial reporting framework:

  • The extent to which component management has an understanding of the applicable financial reporting framework.

  • The process for identifying and accounting for components in accordance with the applicable financial reporting framework.

  • The process for identifying reportable segments for segment reporting in accordance with the applicable financial reporting framework.

  • The process for identifying related party relationships and related party transactions for reporting in accordance with the applicable financial reporting framework.

  • The accounting policies applied to the group financial statements, changes from those of the previous financial year, and changes resulting from new or revised standards under the applicable financial reporting framework.

  • The procedures for dealing with components with financial year‑ends different from the group’s year‑end.

Matters relating to the consolidation process:

  • Group management’s process for obtaining an understanding of the accounting policies used by components, and, where applicable, ensuring that uniform accounting policies are used to prepare the financial information of the components for the group financial statements, and that differences in accounting policies are identified, and adjusted where required in terms of the applicable financial reporting framework. Uniform accounting policies are the specific principles, bases, conventions, rules, and practices adopted by the group, based on the applicable financial reporting framework, that the components use to report similar transactions consistently. These policies are ordinarily described in the financial reporting procedures manual and reporting package issued by group management.

  • Group management’s process for ensuring complete, accurate and timely financial reporting by the components for the consolidation.

  • The process for translating the financial information of foreign components into the currency of the group financial statements.

  • How IT is organized for the consolidation, including the manual and automated stages of the process, and the manual and programmed controls in place at various stages of the consolidation process.

  • Group management’s process for obtaining information on subsequent events.

Matters relating to consolidation adjustments:

  • The process for recording consolidation adjustments, including the preparation, authorization and processing of related journal entries, and the experience of personnel responsible for the consolidation.

  • The consolidation adjustments required by the applicable financial reporting framework.

  • Business rationale for the events and transactions that gave rise to the consolidation adjustments.

  • Frequency, nature and size of transactions between components.

  • Procedures for monitoring, controlling, reconciling and eliminating intra‑group transactions and unrealized profits, and intra‑group account balances.

  • Steps taken to arrive at the fair value of acquired assets and liabilities, procedures for amortizing goodwill (where applicable), and impairment testing of goodwill, in accordance with the applicable financial reporting framework.

  • Arrangements with a majority owner or minority interests regarding losses incurred by a component (for example, an obligation of the minority interest to make good such losses).

OAG Guidance

Detailed guidance relating to understanding the entity and its environment is included in OAG Audit 5021. This section provides additional guidance for group audits.

Group Structure and Components

The group auditor’s understanding may also include matters such as the following:

  • Group governance.

  • Group management’s monitoring of the group structure and control over changes, including formation and liquidation of components and identification of associated companies, joint ventures, and unconsolidated entities.

  • Recording of and controls over acquisitions or disposals of entities.

  • Accuracy of management’s documentation of the group structure, including shareholders and directors of each component.

  • Group tax structure for tax accrual.

Understanding of the system of internal control, including IT, as it relates to the consolidated financial statements of the group

When obtaining an understanding of the group, we obtain an understanding of the IT environment relevant to the preparation of the consolidated financial statements.

When the group has centralized IT functions, the understanding obtained would ordinarily include gathering information about the nature and characteristics of the IT applications used, as well as the supporting IT infrastructure, that impact component entities subject to the centralized functions where relevant to the audit. When group and component entities share the same, or similar characteristics of the IT environment it is likely that the assessment of the complexity of the IT environment at the group and component level would be similar. When the group team is performing work related to understanding the IT environment that is relevant to the understanding of component auditors the results of the work will need to be communicated to the component auditors impacted.

When the group has decentralized IT functions (i.e., largely separate IT functions operate at the component level) the understanding of the IT environment obtained directly by the group engagement team may be limited to the IT applications and other aspects of the IT environment related to the consolidation process and other group‑wide considerations. In these circumstances the group engagement team may need to obtain its understanding of the decentralized IT environment from the appropriate component auditors if an appropriate understanding of matters such as group‑wide controls cannot be obtained from group management.

See OAG Audit 5034 for guidance related to the assessment of the complexity of the IT environment, including examples 2 and 3 which illustrate an evaluation performed for a group entity at the group level and at the component level.

CAS 600 Appendix 2 provides examples of group‑wide controls that may be identified by the group engagement team when obtaining an understanding of the group. We apply the requirements of CAS 315.26a) and guidance in CAS 315.A151 and OAG Audit 5035.1 to determine whether any of the identified group‑wide controls are to be included in the control activities component. For any of these controls included in the control activities component we evaluate the design effectiveness and determine whether the controls have been implemented as designed. An example of a group level control which may be selected for operating effectiveness testing (i.e., control on which we plan to place reliance), and therefore included in the control activities component, is a business performance review ("BPR") such as a management review of component reporting packages to identify and investigate unexpected fluctuations in the financial performance or position of each component. OAG Audit 5035.1 provides aditional guidance and considerations when evaluating the design effectiveness and implementation of such BPRs.

When the group-wide controls subject to design and implementation evaluation rely on one or more IT dependencies (other than system‑generated reports that we may plan to test substantively) we need to consider risks arising from the use of IT related to the IT dependencies and identify ITGCs that address those risks. In doing so we follow the guidance included in OAG Audit 5035.2.

As explained in OAG Audit 5035.2 we also need to consider other IT risks not associated with underlying IT dependencies and ITGCs addressing those risks. Those broader entity‑wide considerations of the IT environment can be identified at the group level, especially when the group has a centralized IT function. If such risks and ITGCs are identified and tested by the group engagement team, the results of work performed related to those risks and ITGCs are to be communicated to the impacted component auditors. See OAG Audit 2341 for further guidance on communication from the group team to the component auditors.

Related guidance

Further guidance related to the understanding of the entity and its environment is included in:

  • OAG Audit 2341 – Communicating the Group Instructions to Component Auditors
  • OAG Audit 5020 – Understand the Entity and its Environment, and the Applicable Financial Reporting Framework
  • OAG Audit 5030 – Understand the Entity’s System of Internal Control, including IT Environment

Internal Audit

For further details, see OAG Audit 6030.

For additional guidance on understanding of the group, see OAG Audit 2322.

Sufficiency of the group engagement team’s understanding

CAS Requirement

The group engagement team shall obtain an understanding that is sufficient to (CAS 600.18):

(a)   confirm or revise its initial identification of components that are likely to be significant; and

(b)   assess the risks of material misstatement of the group financial statements, whether due to fraud or error.

OAG Guidance

  • Confirm or revise initial identification of components, see OAG Audit 2323.
  • Assessment of the risks of material misstatement, see OAG Audit 2332.
Other regulatory requirements

OAG Guidance

Apart from statutory audit requirements, some other regulatory requirements require companies to perform procedures on the compliance with authorities or to report on internal controls compliance, risks, and governance standards beyond the statutory financial accounts. The group and statutory auditors should be familiar with such requirements, which should be taken into account when planning and scoping the group and component audits.

The group engagement team confirms that regulatory requirements are appropriately communicated to and understood by component auditors.

For further guidance on specific component audit requirements, the engagement teams contact the component auditor or Legal Services.

The group engagement team informs the component auditor about the regulatory environment of the group to the extent it impacts the scope of the group audit (e.g., group auditor requirements for compliance with authorities should be communicated to external component auditors who are not as familiar with the authorities’ requirements of the OAG). The group engagement team also needs to be aware of specific regulatory requirements in each component, to the extent that it impacts the group audit.

Understanding group management’s reporting instructions

CAS Guidance

To achieve uniformity and comparability of financial information, group management ordinarily issues instructions to components. Such instructions specify the requirements for financial information of the components to be included in the group financial statements and often include financial reporting procedures manuals and a reporting package. A reporting package ordinarily consists of standard formats for providing financial information for incorporation in the group financial statements. Reporting packages generally do not, however, take the form of complete financial statements prepared and presented in accordance with the applicable financial reporting framework (CAS 600.A24).

The instructions ordinarily cover (CAS 600.A25):

  • the accounting policies to be applied,

  • statutory and other disclosure requirements applicable to the group financial statements, including:

    • the identification and reporting of segments,

    • related party relationships and transactions,

    • intra-group transactions and unrealized profits, and

    • intra-group account balances.

  • a reporting timetable, and

  • [other regulatory requirements such as additional compliance with authorities requirements.]

The group engagement team’s understanding of the instructions may include the following (CAS 600.A26):

  • The clarity and practicality of the instructions for completing the reporting package.

  • Whether the instructions:

    • adequately describe the characteristics of the applicable financial reporting framework;

    • provide for disclosures that are sufficient to comply with the requirements of the applicable financial reporting framework, for example, disclosure of related party relationships and transactions, and segment information;

    • provide for the identification of consolidation adjustments, for example, intra‑group transactions and unrealized profits, and intra‑group account balances; and

    • provide for the approval of the financial information by component management.