2382 Planning and scoping of SSC audit work

Jun-2018

OAG Guidance

Relevant standards

Agreement needs to be reached and explicitly documented during the planning phase as to the applicable auditing standards to be followed by the SSC engagement team in the execution of the work. In most instances, it is expected that the work would be conducted in accordance with Canadian Auditing Standards, but if additional statutory or professional standard requirements exist they need to be identified during the planning phase. These requirements would generally be communicated by component auditors who are planning to use the work performed at the SSC to the group engagement team, who will then communicate them to the SSC engagement team, as appropriate.

Overall considerations

The following chart illustrates overall considerations relevant to the SSC audit work and types of reports that may be issued:

View actual size

Note 1: The SSC audit work may be performed by the group or component engagement team and documented in the group or component engagement file. This is only appropriate when review and supervision can be established over the SSC audit work by the group or component engagement team consistent with CAS 220 and related OAG Audit guidance. If other component engagement teams plan to use the audit work performed at the SSC, the group or component engagement team that performed the audit work at the SSC shares the results of audit work performed with other component engagement teams, as appropriate. For example, the group engagement team may provide to component engagement teams a communication explaining the procedures performed at the SSC and audit evidence obtained as a result of such procedures.

Note 2: The group engagement team may engage a separate team to perform SSC audit work and communicate and use the work of the SSC engagement team, applying relevant requirements and guidance in CAS 600 and OAG Audit 2300 that explain how CAS 220 is applied in group audit situations (e.g., the group engagement team obtains an understanding of the SSC auditor, communicates with the SSC engagement team and evaluates results of their work). This is generally the case when the SSC is located in a different geographical location from the group or component engagement teams. This may also be the case when the SSC is located in the same geographical location, but the SSC audit work is performed by a separate engagement team.

The nature and extent of communications between the group and SSC engagement teams and documentation of the work performed would depend on the circumstances of the engagement. For example, when the group and SSC engagement teams are located in the same geographical location and the SSC engagement team has access to the group engagement team’s audit planning documentation, this may be sufficient to communicate the group engagement team's requirements to the SSC engagement team without issuing formal group instructions. Similarly, a review of the SSC engagement team’s documentation by the group engagement team may be sufficient to communicate the results of the SSC audit work and related conclusions relevant to the group audit.

The group engagement team is responsible for determining the scope of work to be performed at the SSC, as well as direction and supervision of the SSC audit work. The group engagement team fulfills these responsibilities in collaboration with the SSC and component engagement teams.

Note 3: The type of report to be issued depends on the work performed at the SSC and other engagement circumstances. Reporting to the group and component / statutory engagement teams for the SSC audit work will generally take the form of a report on specified procedures (applicable for either substantive tests or controls testing) but, when certain preconditions are met, could take the form of a reasonable assurance report based on CSAE 3000 (applicable only for controls testing). In some circumstances, a reasonable assurance report based on CSAE 3000 may be more efficient than specified procedures reports. Examples of the circumstances where this may be the case include the following:

• audit work performed by the SSC engagement team will be used primarily for a large number of component / statutory audits, rather than primarily for a group financial statement audit;

• a large number of internal controls operate centrally at the SSC and a large number of component / statutory engagement teams will use the SSC engagement team’s work to obtain audit evidence about the design, implementation and operating effectiveness of the controls;

• SSC audit work solely entails controls testing; and

• SSC management assumes responsibility for preparing the risk and controls matrix, which contains the information about the controls subject to testing, including control objectives, and makes a statement about the design and operating effectiveness of controls.

Use of a reasonable assurance report based on CSAE 3000 would only be appropriate if the preconditions for an assurance engagement specified in CSAE 3000.24 are present. When we plan to use the reasonable assurance report based on CSAE 3000 for controls work, the SSC management will need to assume responsibility for preparing the risk and controls matrix and this would need to be clearly stated in the report. This may preclude use of a reasonable assurance report when SSC management are not able to make an explicit statement relative to the effectiveness of internal controls. The SSC engagement team is responsible for determining whether they have a sufficient basis to provide a reasonable assurance report based on CSAE 3000.

Note 4: Where the group or component engagement team, as applicable, receives a specified procedures report from another OAG audit team, the group or component engagement team evaluates the appropriateness of the report and work performed, and determines if further evidence may need to be obtained. Communications between the group, component and SSC engagement teams follow the requirements and guidance of CAS 600. When reporting to or receiving reports from non-OAG audit team use of a specified procedures report may not be appropriate. Refer to OAG Audit 2384 for guidance.

Note that in all cases the scope of work to be performed and results of the work are communicated to the group and component auditors that plan to use the SSC audit work (both for group reporting and statutory reporting purposes). There is no single preferred option on how the SSC audit work may be performed, documented and reported. Instead, we consider engagement circumstances when developing our approach to the SSC audit work. Refer to further guidance in this section.

Planning

Audits need to be carefully planned to determine whether the necessary extent of audit evidence is available to each impacted OAG audit team using the most effective and efficient overall audit approach. The process of planning and scoping the work to be performed at the SSC will depend on a number of factors including the extent to which the SSC is processing transactions through standardized systems (as opposed to running different processes for each subsidiary) and the degree to which the group engagement team (and component teams) are planning to rely upon the work of the SSC engagement team. Consideration would also be given to whether the SSC itself has any statutory or other reporting requirements.

The planning stages of a SSC audit can be quite complex and will likely require iterative communication and information gathering amongst the group, its components/statutory and SSC engagement team. This is especially true when data inputs for centralized procedures performed at one SSC or component of the group depend on data outputs from another SSC/component. This may create additional complexities for the group audit and therefore in such cases appropriate coordination between the group, component and SSC engagement teams becomes even more important.

It is important that the group engagement team, component engagement teams that plan to use the SSC audit work and the SSC engagement team communicate on a timely basis. This helps agree on the procedures to be performed at the SSC, how the results will be communicated and audit evidence shared among the group and component engagement teams. Although the group engagement team will make the ultimate decisions, the component engagement teams need to be satisfied that the planned SSC audit work is appropriate and will provide sufficient evidence for both group and statutory reporting purposes. This includes consideration of the procedures planned, FSLI assertions addressed, materiality applied and other relevant factors.

The group engagement team would generally assume responsibility for the SSC audit approach and related testing decisions and communicate appropriate details of such, including the procedures, to all relevant engagement teams. However, component engagement teams that plan to use the SSC audit work (either for group reporting or statutory reporting purposes) need to inform the group engagement team about the SSC audit work they plan to use, so that necessary procedures would be included in the instructions provided by the group engagement team to the SSC engagement team. Such communications between the group and component engagement teams would generally need to occur early in the planning process and prior to finalization of the overall group letter of instructions to be issued by the group engagement team.

We would normally expect the group engagement team to coordinate the procedures to be performed at the SSC (agreeing and communicating them with the components and SSC engagement teams, as appropriate), and communicate the instructions to the SSC engagement team, which would include all audit procedures that need to be performed at the SSC for both group reporting and statutory purposes. This would help avoid the need for component engagement teams to communicate any incremental audit work they plan to use (for example for statutory reporting purposes) in separate instructions and helps facilitate an effective and efficient audit approach.

The group engagement team would be more likely to coordinate SSC audit work on engagements where multiple SSCs are used by the client and there is significant interrelation of inputs and outputs between the SSCs and components. On some group audit engagements, it may be more effective and efficient for the SSC engagement team to play a more active role in determining the SSC audit work to be performed.

Refer to OAG Audit 2385 for guidance on communications. The Specified Procedures Memorandum of Understanding for a SSC available on the Intranet can be used to develop appropriate planning communications.

Understanding the SSC auditor’s work

As part of planning, we consider the appropriate level of quality control review required over the SSC auditor’s work. As explained above, when the SSC engagement team is considered part of the group / component engagement team, the SSC audit work is performed and reviewed in accordance with CAS 220. When CAS 600 is also applied (i.e., the SSC engagement team is considered a component auditor and the group engagement team requests that the SSC auditor perform procedures at the SSC), the group engagement team, on behalf of all teams using the results of the SSC engagement team’s work, understands the SSC auditor as a component auditor in accordance with CAS 600.19 and CAS 600.20, and is involved in the SSC component auditor’s work in accordance with CAS 600.30. OAG Audit 2326 provides guidance on the procedures that may be undertaken to obtain an understanding of the SSC auditor, distinguishing between component auditor from the OAG and component auditor external to the Office.

In particular, the group engagement team considers the results of quality reviews of the SSC auditor as part of understanding and to evaluate whether it may affect the procedures to be performed with regards to the work done by the SSC auditor (e.g., affect the extent of review of work performed by the SSC auditor in line with OAG Audit 2361).

It would generally be more efficient for the group engagement team to perform all procedures regarding understanding the SSC auditor (if necessary) on behalf of component auditors that use the SSC team's work and communicate this to component engagement teams, as appropriate. This will help avoid the need for component auditors to perform duplicative procedures. The group engagement team needs to communicate with component auditors to identify any additional requirements regarding understanding and involvement in the SSC auditor’s work that are needed and the group engagement team needs to coordinate the gathering of the necessary information with the SSC engagement team. Component engagement teams use the procedures performed by the group engagement team, evaluate whether such procedures and related documentation are sufficient for the purposes of their statutory reporting and perform additional procedures where considered necessary. Component engagement teams need to document their evaluation of the sufficiency of the group engagement team procedures and any additional procedures they have performed.

Developing testing strategy

In planning and performing work at the SSC, develop efficient and effective testing strategies through the thoughtful linkage of control testing, substantive analytical procedures and tests of details. Given that many SSCs process high volume, low risk routine transactions through standardized processes, an efficient and effective testing plan would likely include a predominance of controls testing and substantive analytical procedures. In combination, this will often be able to provide the majority of required audit evidence. Tests of detail, where necessary, might be expected to be more limited.

Planning the work at the SSC might involve:

1. Understanding the strategy of the entity as it relates to the SSC, the standing of the SSC within the group, its business rationale and objectives. This includes ensuring a thorough understanding of the roles, responsibilities, accountability for and ownership of the information to be processed by the SSC. This also involves understanding where the control and responsibility lies between the components and/or statutory entities using the data from the SSC and the SSC itself;

2. Understanding significant risks, including fraud and business risks, related to the SSC. In doing this, teams need to understand both those risks the SSC is responsible for managing on behalf of the rest of the group, as well as the risks to which the SSC itself is exposed;

3. Understanding both the legal and management control structure of the group;

4. Understanding the audit and reporting requirements for the group and components entities that require stand-alone audits, including statutory requirements, relevant GAAP and GAAS, and related materiality;

5. Understanding those processes, systems, controls, and personnel and accounting records employed and retained at the SSC, which are relevant to financial reporting and how those relate to group and components and statutory audit financial reporting throughout the group;

6. Evaluating what audit evidence can be obtained at the SSC;

7. Determining what necessary extent of audit evidence is required by each of the group and its component / statutory audit teams;

8. Considering what procedures might need to be performed at the group or component locations in support of the SSC team’s work;

9. Upfront and ongoing agreement with all group and component / statutory audit teams on the audit evidence to be obtained at the SSC, including the nature, timing and extent of specified procedures;

10. Determining who will perform the SSC audit work and when;

11. Agreeing on the process for applicable review and oversight of work performed at the SSC;

12. Establishing how the audit evidence will be documented and shared.

As with all other components in a group audit situation, this guidance assumes that engagement teams have appropriately determined group and component materiality (see OAG Audit 2333) as part of determining the appropriate level of audit procedures to perform at the SSC.

The following provides further guidance and recommendations related to the planning of SSC audit work.

• Consider the following activities when determining what work to request the SSC engagement team to perform:

  • Make inquiries of management at the group level and at the component/statutory and SSC level regarding the financial reporting process and controls performed at the SSC, and review management’s existing documentation of policies, procedures, processes, and controls;

  • Identify significant processes and sub-processes managed at the SSC relevant to authorizing, initiating, processing, recording and/or reporting transactions for the relevant components, including identifying activities that are common to multiple components (for any given process which is determined to be in scope, the population of relevant controls is often the same whether the scoping were performed from a group audit perspective or a component / statutory audit entity perspective;

  • Identify the key inputs to, and outputs from, the SSC which are relevant from a financial accounting perspective (e.g., transaction flow, standing data, and accounting records);

  • Identify technologies and application instances that support the key SSC financial processes, inputs and outputs, including controls over the key reports and spreadsheets;

  • Relate key SSC inputs/outputs and processes/sub-processes to control objectives, information processing objectives, and/or financial statement assertions relevant to the group audit and all component / statutory entity audits;

  • Where evidence is being sought from tests of controls, identify relevant controls that operate both within and outside the SSC, to develop a complete understanding of the end-to-end design of internal control and to clearly identify those controls to be tested by the SSC engagement team versus those to be tested by the group or component / statutory audit teams;

  • Obtain and evaluate any Internal Audit work relating to the SSC and consider that work in developing the SSC audit plan;

  • Document the above information as part of the audit plan in a manner that facilitates sharing amongst the engagement teams and streamlines the interoffice instruction and reporting processes.

• Good documentation practices include

  • a matrix identifying SSC processes and sub-processes that are relevant to each component and statutory entity; for our understanding of controls at the SSC level;

  • process flowcharts and narratives that enable a clear understanding of the SSC processes, inputs, and outputs.

• Consider the extent to which the client exercises control over the effective operation of the SSC by means of a business performance review or analysis of other key performance indicators. Consider the extent to which a review of this information (e.g., account reconciliation statistics) may provide audit evidence to the SSC team. Note that this may require other teams to perform work on behalf of the SSC team.

• The group, component/statutory and SSC engagement teams determine how to collaborate on any risk factors that would require additional work to be performed at the SSC in connection with any specific group or component / statutory audit. Complete and document this at the planning stage of the audit to determine appropriate scoping for all components and/or statutory entities audits and to demonstrate the active involvement of all relevant parties to group audit planning decisions.

• The group or component / statutory audit teams may need assurance from substantive tests of details at the SSC, whether contemplated in the initial audit plan or as a response to the results of other audit work. Consideration would also be given to procedures that can serve dual purpose as both tests of controls and tests of details, the SSC engagement team may challenge instructions to perform work which, in the view of the SSC team, will not provide effective and efficient results. However the procedures to be performed are ultimately the responsibility of the group / component teams.

• For specified procedures to be performed by the SSC engagement team, distinguish between procedures that are tests of controls versus tests of details, as appropriate. The SSC engagement team may be able to provide controls evidence to multiple audit teams by sampling once from a single population of common control activities. For tests of details, however, the SSC engagement team will ordinarily need to identify separate populations of transactions and balances related to each component and test a full sample from each to satisfy the needs of each respective audit team, particularly when a statutory audit is required for some or all of the individual components. Teams can consider circumstances when a test of details can be designed to meet the needs of more than one component team.

• Agree the timing of the audit work to be performed by the SSC engagement team at an early stage by all audit teams. Perform controls work to allow sufficient time for the teams to review the results, determine their conclusions on the design, implementation and operating effectiveness of the controls and consider the need to alter the nature, timing and extent of their planned audit procedures, or to request additional work at the SSC in response to any identified control deficiencies or other audit findings. Additional visits, such as those that might be required to update testing of controls or to perform subsequent events procedures, would be clearly outlined in planning.

• Determine the appropriate type of report to be issued on the SSC audit work. Refer to OAG Audit 2384 for guidance. The group, SSC and component / statutory engagement teams will need to maintain a rigorous level of communication to determine if the procedures performed will satisfy all teams' needs and expectations.