Annual Audit Manual

COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.

2361 Review of the work performed by component auditors
Dec-2023

In This Section

Consideration of the need for, and form of, review of work performed by component auditor

OAG versus external firm/auditor Component Auditor

Example Review Procedures

Consideration of the need for, and form of, review of work performed by component auditor

CAS Requirement

The engagement partner shall review audit documentation at appropriate points in time during the audit engagement, including audit documentation relating to (CAS 220.31):

(a)   Significant matters;

(b)   Significant judgments, including those relating to difficult or contentious matters identified during the audit engagement, and the conclusions reached; and

(c)   Other matters that, in the engagement partner's professional judgment, are relevant to the engagement partner's responsibilities.

If a component auditor performs an audit of the financial information of a significant component, the group engagement team shall be involved in the component auditor’s risk assessment to identify significant risks of material misstatement of the group financial statements. The nature, timing and extent of this involvement are affected by the group engagement team’s understanding of the component auditor, but at a minimum shall include reviewing the component auditor’s documentation of identified significant risks of material misstatement of the group financial statements. Such documentation may take the form of a memorandum that reflects the component auditor’s conclusion with regard to the identified significant risks (CAS 600.30(c)). (Ref: Para. A54-55)

CAS Guidance

Review of the engagement team's work consists of consideration of whether, for example (CAS 220.A88):

  • The work has been performed in accordance with the firm's policies or procedures, professional standards and applicable legal and regulatory requirements;

  • Significant matters have been raised for further consideration;

  • Appropriate consultations have taken place and the resulting conclusions have been documented and implemented;

  • There is a need to revise the nature, timing and extent of work performed;

  • The work performed supports the conclusions reached and is appropriately documented;

  • The evidence obtained is sufficient and appropriate to provide a basis for the auditor's opinion; and

  • The objectives of the audit procedures have been achieved.

Forms of involvement in the work of a component auditor may, based on the group engagement team’s understanding of the component auditor, include reviewing the component auditors’ overall audit strategy and audit plan and reviewing other relevant parts of the component auditors’ audit documentation (CAS 600.A55(b,f)).

OAG Guidance

The purpose of the review of the component auditor’s audit documentation is to determine whether the work of the component auditor is adequate for purposes of the group audit i.e., whether sufficient appropriate audit evidence has been obtained with regards to the component’s financial information and its impact on the group financial statements.

The audit plan for the group audit needs to include sufficient time and appropriate resources for the group engagement team to review the work of the component auditors and for the component auditors to facilitate this review.

The review is an ongoing process, which begins at the planning phase when the risk assessment and planned audit procedures are reviewed and discussed (OAG Audit 2332), continues with timely discussions of significant matters and judgments that arise from the component auditor’s work throughout the engagement, and is completed once the component auditor’s work is completed, the component auditor’s communication is received and through to the completion of the group audit.

The group engagement team undertakes procedures, including appropriate review of the component auditor's work, to satisfy their responsibility for maintaining quality on the group audit overall.

Whether the component auditor is another OAG audit team or an external firm/auditor will not affect the requirement for the group auditor to be involved in the work of the component auditor. However, it may affect the nature and extent of the procedures the group engagement team determines to be needed in respect of reviewing the component auditors’ work,  for example, because the external component auditor is not subject to our Office policies and procedures. See OAG Audit 2362 for further guidance.

The elements of the component auditor's documentation and communication that the group engagement leader and team review may vary depending on engagement circumstances, as well as the content of the component auditor's communication. The group engagement leader's review of the component auditor's documentation and communication, as applicable, takes into consideration the minimum review responsibilities set out in OAG Audit 1162.

The determination of the nature and extent of the group engagement team's review procedures is a matter of professional judgment and is based on risk characteristics of both the:

  • Component (e.g., the relative significance of the component to the group financial statements, both due to size and risk); and

  • Component auditor (e.g., the reputation of and our prior experience with the component auditor, the industry experience of the component auditor and whether the component auditor is from the OAG).

The nature, and extent of the group engagement team's review procedures may be affected by the knowledge gained of the component auditor a (i.e., their competence), whether the group engagement team has access to the component auditor's files (i.e., no legal, regulatory or other professional obligations that prevent such access), the component auditor's responses to the group engagement team's inquiries and work already reviewed.

The nature and extent of the review may also vary for different elements of the component auditor's work (e.g., the nature and extent of review may be greater in areas of elevated or significant risks).

The group engagement leader's review of the component auditor's work and documentation may also provide evidence that the reviewer from the component engagement team who was assigned review responsibilities performed their review in a manner that meets the group engagement leader's expectation. Refer to OAG Audit 2343 for further guidance.

The group engagement team's review of the component auditor's working papers is performed by a member of the group engagement team with sufficient knowledge and experience such that they would be able to understand the work performed and consider the sufficiency of the work and the appropriateness of significant judgments made by the component auditor. What documentation the group engagement leader and/or engagement team will review is a matter of their professional judgment. Further guidance on reviewing audit documentation is included in OAG Audit 3070

The group engagement team documents in their own working papers the nature, timing and extent of their review of the component auditor's work.

The group engagement team's working papers also document the group engagement team's involvement throughout the engagement, particularly as it relates to significant matters, consultations, resolving differences of opinion and evaluating the impact of exceptions noted during testing, as appropriate. In doing so, the group engagement team considers whether:

  • The work performed by the component auditor is consistent with the audit strategy and plan agreed during the planning phase (or as updated for circumstances arising during the engagement).

  • The audit evidence obtained by the component auditor supports the significant judgments made and conclusions reached by the component auditor and whether the group engagement team agrees with those significant judgments and conclusions.

  • The documentation and conclusions documented are consistent with the group engagement team's expectations taking into account prior communications with the component auditor.

  • Appropriate consultations were undertaken and documented.

  • All significant open matters have been resolved.

Site and component visits

The following guidance is intended to provide incremental guidance for teams to consider when deciding to complete in-person visits to sites and component teams and reviewing component auditor working papers.

In-person visits to client sites and component auditors have a number of benefits:

  • Improving understanding of client operations

  • Corroborating statements and representations made by group management

  • Improving risk assessment procedures and conclusions

  • Developing relationships with component auditors

  • Reviewing audit strategy decisions and working papers of component auditors

There is no minimum cadence for in-person site visits prescribed by either the auditing standards or OAG policy. Teams should document their rationale for which sites will be visited in person. Generally site visits would be more frequent where components are more significant or unique risks exist.

  1. When should the group engagement team review the working papers of a component auditor?

The group engagement team should apply professional judgment when deciding when to review component auditor working papers, and document the rationale in the audit file.. Factors that should be taken into consideration in making the decision of whether or not the group auditor should review the component auditor’s working papers are:

  • Significance of the component to the group financial statements;

  • Whether there are significant risks at the component level;

  • Prior years results of the component auditor’s working papers review, if applicable;

  • Whether the component auditor is another OAG team or an external firm/auditor (see block “OAG versus external firm/auditor Component Auditor” below);

  • Prior experience with and reputation of the component auditor;

  • Component auditor’s knowledge and expertise related to the client’s industry;

  • Past adjustments and errors in the component’s financial statements; and

  • Number of years since the working papers have last been reviewed.

In situations where the group engagement team decides it is not necessary to review the component auditor’s working papers, but also doesn’t just want to rely on the standard group reporting, the group auditor instead may request the component auditor to provide an extended Memorandum of Work Performed that includes a summary of comfort description on certain or all financial statement line items, including exceptions, to be satisfied that the work performed is sufficient appropriate audit evidence.

  1. Can the group auditor send a representative to review the working papers of component auditors?

There may be circumstances when the group auditor may consider sending a representative (rather than a member of the group audit team) to review the working papers of a component auditor, if the working paper review cannot be performed remotely. Sending a representative might be considered when:

  • An external component auditor (external firm/auditor) is located in a different region that has an OAG office in that region, the group auditor may ask a representative from the OAG office in that region to review the working papers of the external component auditor (external firm/auditor). See block "OAG versus external firm/auditor Component Auditor" for further considerations when this may be advantageous.

  • In these circumstances, the representative should document in the group audit file the following:

  • Confirmation of their independence and compliance with ethical requirements including integrity, objectivity, professional competence and due care, confidentiality and professional behaviour;

  • Knowledge of the auditing and accounting standards; and

  • The representative’s knowledge about the client to evidence the ability to identify issues/circumstances that are inconsistent with group information, risk assessment or expected strategy. This can be achieved by documenting the representative’s understanding of the risk and response as well as the group’s risk assessment, including fraud.

To meet the requirements of CAS 220, the group engagement team should set-up a coaching meeting with the representative to provide the representative with clear instructions on what to review and document, including the nature and extent of the review  and to discuss the bullet points above. The minutes of the coaching meeting should be retained in the audit file as evidence of the group engagement team / group engagement leader confirming the knowledge and competency of the representative.

  1. Can we review the working papers of a component remotely?

Whether or not a group audit team will be granted remote access to a component auditor’s working papers is dependent upon the circumstances of the component auditor. It is important that group audit teams inquire early with their component auditors whether or not remote file access can be provided.

In addition to the question whether or not remote file access can be provided, the engagement team should consider the following factors when determining whether remote file access an efficient way to determine if the component auditor has performed sufficient work:

  • Need to review external working papers.

  • Complexity of the file and how much interaction with the component audit team is necessary to navigate the file and understand the issues encountered.

  • History of issues noted in the past to allow for immediate remediation work while physically present

  • Need or expectations to talk to local management to obtain the appropriate level of understanding of either the components business or any accounting/auditing issues, for the purpose of assessing the appropriateness of our risk assessment as well as judgments made or conclusions reached by management or the component auditor.

  1. What is the best way to document our component auditor review?

Guidance related to the review of working papers of component auditors and example review procedures are outlined in block “Example Review Procedures” below. However, these procedures should not be used as a checklist and the group engagement team should tailor the procedures depending on the specific circumstances of the component and/or the assessment of the component auditor.

The audit documentation that will be relevant to the group audit will vary depending on the circumstances and the focus should generally be on audit documentation that is relevant to the significant risks of material misstatement of the group financial statements.

OAG versus external firm/auditor Component Auditor

OAG Guidance

Component auditor from another OAG audit team

If the component auditor is from the OAG, the extent of the review may be affected by our previous experience with the component auditor, or by our discussions or correspondence with the component auditor and his/her responses to our interoffice instructions.

Component auditor from an external firm

When the component auditor is not from the OAG, the group engagement team needs to be conscious of the fact that we cannot expect them to use OAG audit methodology; although, we expect the work to be in compliance with CASs, as per OAG Audit 2326.

The group engagement team may need to obtain the assistance of another OAG audit team to review the work of the component. This can be useful because an OAG audit team in the same group or office as the component auditor could have a better understanding of the business environment of the component, and the statutory requirements and will be more familiar with the language that may be used in some or all of the component auditor's documentation. In these circumstances, the group engagement team verifies that comprehensive instructions relating to the procedures are provided to the review team in advance, and that the review team has a sufficient understanding of the group financial reporting framework and applicable GAAS.

In certain instances, the group engagement team may also request the component auditor to complete an audit questionnaire or checklist relating to the audit of the component. The questions need to be properly framed in the context of an audit of the component’s financial information as a whole and not in a manner that could be considered as providing separate opinions on individual elements of the component’s financial statements. The completed questionnaire or checklist assists the group engagement team in identifying potential areas to focus their review of the component auditor’s documentation, as well as the extent of the review procedures required (see table below for guidance). Generally, the questionnaire or checklist alone will not provide a basis for the group engagement team to complete their review of the component auditor's work.

Example Review Procedures

OAG Guidance

The table below shows example procedures the group engagement team could, depending on the circumstances, perform in a review of the component auditor’s working papers. This is not to be used as a checklist. Procedures are to be tailored for each situation depending on the specific circumstances of the component and/or the assessment of the component auditor (see OAG Audit 2326OAG Audit 2328 and OAG Audit 2329).

Note that some of the terms used below are OAG Audit terms, and an external firm/auditor component auditor may use different terms. When performing the review procedures, the group auditor considers whether the substance of the external component auditor’s work is sufficient and appropriate, and not the ways in which the external component auditor’s terminology or form of the work may differ from OAG Audit.

Communication with the component auditor throughout the audit process typically facilitates a more effective and efficient review process.

AREA

EXAMPLE REVIEW PROCEDURES

Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement
  • For significant components, review the component auditor’s documentation of identified significant and elevated risks of material misstatement of the financial statements. Such documentation may take the form of a memorandum that reflects the component auditor’s conclusion with regard to the identified significant and elevated risks.
  • Review that the component auditor’s understanding of the entity also includes an understanding of the tax regime and related party transactions, both of which could have a significant effect on the financial statements.
  • Assess whether the component auditor obtained and documented an understanding of the component entity and its environment, and the applicable financial reporting framework.
  • Determine that they obtained an understanding of the entity's system of internal control, including the IT environment.
  • For significant risks, review the component auditor’s evaluation of the design and implementation of the entity’s controls, in the control activities, component addressing those significant risks.
  • Determine that they identified relevant risks arising from the use of IT and ITGCs addressing those risks, and evaluated the design and implementation of ITGCs.

Audit Strategy and Plan
  • Review the overall audit strategy and audit plan to reduce the audit risk to an acceptably low level, including the nature, timing and extent of the planned audit procedures to be performed by the component auditor. Consider the group audit strategy and specific items in the letter of instructions.
  • Assess if the planned audit procedures to be performed to respond to the identified significant and elevated risks are sufficient. Determine whether it is necessary to be involved in performing further audit procedures (either at the component location or at a group level).
  • Discuss important and sensitive aspects of the engagement and reasons for the audit strategy selected including the nature, timing and extent of procedures planned to be performed in sensitive or high-risk areas.
  • Review documentation of updates and changes in the overall audit strategy and the audit plan during the course of the audit, if applicable.

Materiality
  • Determine that they applied the component materiality level determined by the group auditor and communicated in the letter of instructions, or if a lower materiality level has been determined and applied for statutory audit purposes.
  • Evaluate if they properly assessed whether the aggregate of uncorrected misstatements that have been identified during their audit is material to the component financial information.
  • Determine whether they have reported to the group engagement team all uncorrected misstatements in accordance with the group instructions.

Controls
  • Where they planned to rely on the operating effectiveness of controls, evaluate whether they performed appropriate tests of controls to obtain sufficient appropriate audit evidence that the controls were operating effectively at relevant times during the period under audit.
  • Understand their use of system generated information, and whether the reliability of this information was properly assessed, including the testing of ITGC’s and other information processing controls, where relevant.
  • Evaluate whether when testing controls (either over IT or other controls) the component auditor tested and appropriate number of instances (e.g., by considering in comparison to sample sizes indicated in OAG audit methodology).
  • Evaluate whether exceptions in the testing of operating effectiveness of the controls identified are appropriately considered.
  • Review their communication to component management and those charged with governance of the component to assess whether all significant deficiencies in internal control over financial reporting have been properly reported.

Analytical Procedures
  • Determine that they applied preliminary analytical procedures as risk assessment procedures to obtain an understanding of the entity and its environment and identify risks.
  • Determine that they applied analytical procedures at (or near) the end of the audit when forming an overall conclusion as to whether the consolidation package as a whole is consistent with our understanding of the entity.

Substantive Procedures
  • Assess whether irrespective of the assessed risk of material misstatement, they have designed and performed substantive procedures for each material class of transactions, account balance, and disclosure.
  • Determine whether when they determined that an assessed risk of material misstatement at the assertion level is a significant risk, they have performed substantive procedures that are specifically responsive to that risk (typically would require substantive tests of details, not just substantive analytical procedures).
  • Assess whether the use of testing methods (e.g., accept reject, targeted testing, non-statistical sampling) was appropriate.
  • Evaluate whether when performing substantive testing the component auditor tested an appropriate number of items (e.g., by considering in comparison to sample sizes indicated by OAG audit methodology.

Audit Evidence
  • Consider whether they obtained sufficient appropriate audit evidence to be able to draw conclusions on which to base the audit opinion. This assessment will also include instances where external firm/auditor component auditors have not selected the same number of items for testing controls or performing substantive testing, when compared with OAG Audit methodology. If such circumstances occur, use professional judgment to assess whether additional items need to be selected and tested either by the component auditor or by the group engagement team.
  • Review documentation of the resolution of significant accounting, auditing, and financial reporting matters (i.e., significant matters), including documentation of consultations with others. Discuss with the component auditor as needed, to affirm understanding of the issues and the resolution thereof.
  • Review whether uncorrected misstatements are material for the group audit.
  • Discuss with the component engagement leader any significant unresolved matters and inquire whether all uncorrected misstatements have been posted to the SUM.
  • Consider whether discussion of significant matters with the component auditor, component management, or group management is needed or whether additional procedures are required to be performed and by whom they will be performed.

Documentation

Determine that they have:

  • Documented matters that are important in providing audit evidence to support the auditor’s opinion and evidence that the audit was carried out in accordance with the applicable GAAS.
  • Prepared working papers that are sufficiently complete and detailed to provide an overall understanding of the audit.
  • Recorded in the working papers information on planning the audit, the nature, timing and extent of the audit procedures performed and the results thereof, and the conclusions drawn from the audit evidence obtained.
  • Recorded in the working papers reasoning on all significant matters that require the exercise of judgment, and the conclusions thereon.

Other Items

Consider the appropriateness of work performed over significant accounting, auditing and financial reporting matters and other areas including:

  • Related Party transactions.
  • Use of experts and specialists.
  • Taxation.
  • Tie out of component audit reporting package to audit work performed.

In accordance with CAS 230, the audit documentation for a group audit engagement needs to be sufficient to enable an experienced auditor, having no previous connection with the audit, to understand the nature, timing and extent of audit procedures performed, the evidence obtained, and the conclusions reached with respect to significant matters arising during the group audit.