Annual Audit Manual
COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.
2383 Execution of fieldwork
Jun-2018
In This Section
Overview
This section discusses:
- Execution of fieldwork
OAG Guidance
Perform audit work relating to the testing of controls, substantive analytics, and substantive tests of detail in accordance with OAG Annual Audit Manual.
Auditing in the shared service environment also requires consideration of the appropriate definition of populations and selection of samples. Note that there is a clear distinction between controls testing and substantive tests of details performed by the SSC auditor with respect to these matters. Follow the guidance in OAG Annual Audit Manual with the following additional considerations:
Control testing
As described in the example of OAG Audit 6053, decisions on the number of items to test requires a determination as to whether the population subject to testing is sufficiently homogeneous to permit it to be treated as one population and, therefore, permit the results of our testing to be appropriately projected to that entire population.
Therefore, in a situation where an SSC is processing transactions for multiple geographies and/or entities following the same or substantively similar procedures on a common accounting IT application, it is often appropriate to define the population to test as being all transactions for all geographies and/or entities processed at the SSC.
Conversely, in situations where the SSC follows different procedures or processes transactions on different systems, it would generally not be appropriate to combine populations of transactions for sample selection.
There is no need to include specific transactions relating to particular entities in the controls testing as this would be a deviation from considering a population homogeneous. This is not influenced by how many entities the control impacts. Rather, the homogeneity is a function of how the process is carried out (i.e., following the same instruction, in the same IT environment, etc.).
The use of different reviewers in the same instance of controls does not necessarily contradict the existence of a homogeneous population, unless knowledge from the understanding and evaluating controls process suggests that certain reviewers of the controls in question follow a different process. If a central monitoring or review function is in place it may be possible to treat the controls performed by different individuals as a single population. However, in this case, in addition to testing the control itself, we perform a separate test of the supervisory review and approval processes to support our conclusion that the controls could be treated as a single homogeneous population. The extent of this test depends mainly on the frequency of the supervisory control.
Substantive testing
The SSC team can perform substantive tests to obtain evidence for the group engagement team and/or component teams. For tests of details, however, the SSC engagement team will ordinarily need to identify separate populations of transactions and balances related to each component and test a full sample from each to satisfy the needs of each respective component. This is the case when the initiation of transactions and respective controls and source documents are at the user location necessitating separate populations for substantive testing. This is also the case when component teams need evidence based on component materiality and risk for audits of financial information at individually significant locations or particularly when a statutory audit is required for some or all of the individual components. For example, if an SSC manages accounts receivable for a number of components, it may be more efficient for confirmations to be performed by SSC engagement team. However, such tests would be designed with the needs of the group audit and individual component teams in mind. Component teams need to be satisfied that the test will provide sufficient appropriate audit evidence to respond to the risk(s) of material misstatement identified in the context of the component that they are auditing or whether there are individual homogeneous populations considering the initiation of transactions at users and the location of source documents.
If components for which we provide a separate statutory audit opinion use an SSC, any substantive testing performed at the SSC that is intended to be used as audit evidence in the statutory audits needs to be designed to be able to meet the needs of the statutory audit. This includes designing the tests so that they are
-
an appropriate response to the nature, likelihood and magnitude of risks of material misstatements as identified and assessed from the perspective of the individual component; and
-
designed taking into account the performance materiality levels of the financial statements subject to statutory audit.
In the context of statutory audits, it will ordinarily be necessary to separate transactions and balances by component for the purposes of selecting samples.
However, when the SSC processes data for components on which no separate statutory audit is required, it may be appropriate and effective to aggregate the populations and perform a substantive test once with one sample to draw conclusions about a transaction stream or account balances for many locations processed in the SSC. For example, we can design an audit sample for which it is appropriate to extrapolate the results to a full population or use accept-reject testing to either accept or reject certain characteristics of an entire population. For example, this might be an effective approach for an inventory count when the SSC manages inventory for a number of components. In such circumstances, however, design the test to provide appropriate evidence for the circumstances in which it is to be used, considering materiality as appropriate. For example, when the testing results are planned to be used in the statutory audit of an individual component, the materiality needs to be set at a level relevant to the individual component. When the testing results are solely used for the purposes of the group reporting, the group engagement team determines an appropriate level of materiality to be applied when testing the aggregated population. Similar considerations apply for targeted testing.
Documentation and access to working papers
Given the number of end users, the quality of documentation in the work product provided by the SSC engagement team is particularly important. The best approach for documenting and using the work performed centrally is highly fact specific and will involve engagement team judgment. We need to consider specific engagement circumstances in determining the best approach, including appropriate access to the related working papers, relevant requirements regarding confidentiality and safe custody of audit documentation etc.
When determining our approach to documenting the SSC audit work, consider all relevant requirements, including local regulations regarding archiving, confidentiality and safe custody of audit documentation that may apply to component statutory audits. In particular, we need to consider potential confidentiality issues that may arise when the SSC engagement database reflects work related to different components of the group.
Local regulations may require obtaining additional documentation or communications from the group, SSC or component engagement teams, e.g., confidentiality waivers, confirmations that the group engagement team takes full responsibility for the direction and supervision of the SSC audit work. Such documentation and communications are provided in line with the relevant requirements, as appropriate. The group, component and SSC engagement teams need to consider such requirements as part of the audit planning to facilitate timely communication and documentation. Consider consulting with Audit Services when additional documentation or communications are requested.
As explained in OAG Audit 2384 we would generally expect the SSC engagement team’s report to include sufficient detail to understand the nature, timing, extent and results of the work performed, which will help avoid any duplication of work by group and component auditors and avoid the need to access the detailed SSC engagement team’s working papers. If the SSC audit work is performed properly and there is a sufficiently detailed and clear report from the SSC auditor, it is anticipated that access to working papers would generally not be necessary.