2384 Reporting on SSC work

Jun-2018

OAG Guidance

Introduction

The type of interoffice report to be issued depends on the work performed at the SSC and other engagement circumstances. Reporting to the group and/or component / statutory engagement teams for the SSC audit work will generally take the form of a report on specified procedures (for either substantive tests of details or controls testing) but, when certain preconditions are met, could take the form of a reasonable assurance report based on CSAE 3000 (only for controls testing). The group engagement team using the SSC audit work makes the determination, in collaboration with the component / statutory engagement teams, as to which form of reporting is appropriate for the SSC audit work.  The group engagement team may prefer a specified procedures report for controls work because the group engagement team’s evaluation of the design, implementation and operating effectiveness of internal control over financial reporting is for the group as a whole, rather than at the SSC level, and therefore determination of controls effectiveness at the SSC level may not be useful to the group audit.  The same may be true for component / statutory engagement teams.  Refer to the guidance below for detailed considerations regarding each type of report and circumstances when they may be appropriate.

The following table summarizes the key elements and roles and responsibilities related to the two types of reports referred to above:

	Specified Procedures Report	Reasonable Assurance Report*
Relevant standards	CAS 600, CAS 220	CAS 600, CAS 220, CSAE 3000
Responsibility for preparing a risk and controls matrix, including description of the controls and their control objectives (for controls work)	Group engagement team (in collaboration with component and SSC engagement teams)	SSC management
Responsibility for making a statement about the design, implementation and operating effectiveness of controls (for SSC controls)	N/A	SSC management
Responsibility for determining that preconditions for an assurance engagement are present	N/A	SSC engagement team (in collaboration with group engagement team)
Responsibility for identifying control objectives to be tested	N/A	Group engagement team (in collaboration with component and SSC engagement teams)
Responsibility for determining the nature, timing and extent of work to be performed	Group engagement team (in collaboration with component and SSC engagement teams)	SSC engagement team (in collaboration with group and component engagement teams)
Responsibility for performing the work	SSC engagement team	SSC engagement team
Responsibility for direction and supervision	Group engagement team (in collaboration with component engagement teams)	Group engagement team (in collaboration with component engagement teams)
Report includes a detailed description of the controls and controls objectives (if applicable)	Yes	Yes
Report includes a detailed description of the procedures performed / testing results	Yes	Yes
Report addressee	Group engagement team	Group engagement team**

* This reporting option is for controls testing only.

** It is generally expected that this report would be addressed to the group auditor. If used for component / statutory purposes or other stand-alone reporting at a component, changes to the report addressee need to be considered.

Note that under both reporting options above, the group and component engagement teams are responsible for evaluating sufficiency of the SSC audit work performed for group reporting purposes, as appropriate, in line with the requirements and guidance of CAS 600 (taking into account materiality, assertions addressed and other relevant factors). The component / statutory engagement teams need to consider whether the population used by the SSC engagement team for testing of controls and the extent of that testing are sufficient for component / statutory reporting purposes.  It is important that the group, component and SSC engagement teams communicate as part of planning to agree on the procedures to be performed at the SSC to determine that planned procedures would be sufficient and appropriate for group and component / statutory reporting purposes.

We would generally not expect any other types of reports to be used with regards to the SSC audit work. Consider consulting with Audit Services when in doubt about which reporting approach would be most appropriate.

Specified procedures

Refer to the Intranet for an appropriate specified procedures report template referred to as the Specified Procedures Memorandum of Understanding for a SSC. See example template on the INTRAnet. The report will document the procedures performed (or refer to the instructions from the group auditor that outlined the procedures), the results of applying those procedures, and restrictions on the use of the report. The Specified Procedures Memorandum of Understanding for a SSC available on the Intranet can be used to summarize the work performed and support the specified procedures report.

Whether by reference to the specified procedures included in the audit instructions (or a separate communication issued by the SSC team) or by directly listing the procedures performed, the report needs to provide sufficient information to enable all teams to clearly understand the scope and results on the SSC audit work that was done for controls and/or substantive procedures and conclude on the design, implementation and operating effectiveness of the controls tested, where applicable. Include in the report

1. The specific control objectives that were considered through the evaluation and testing of controls, including the nature, timing, and extent of the controls work. If the relationship between financial statement assertions and in-scope control objectives is described in the planning and scoping documentation, we may consider using the template on the Intranet;

2. Substantive tests of details performed, including the nature, timing, and extent of the testing;

3. The extent to which reliance has been placed on the work of internal audit and the procedures performed to justify it; and,

4. Report exceptions clearly, indicating the test performed and details of the exception, including population subject to testing, and sampling approach.

The SSC engagement team is responsible for checking that the information to be included in the report is readily available from the audit working papers. The report will provide sufficient detailed information for the user of the report to understand the nature, timing, extent and results of the work performed. Providing this detail in a report which can be appended to the receiving office's working papers will eliminate the need for group and component / statutory auditors to duplicate documentation prepared by the SSC engagement team. The efficiency of sharing evidence across multiple components serviced by the SSC would more than offset any incremental time required to prepare the report. It would also help avoid the risk of creating inconsistent documentation by various components and sharing any detailed working papers developed by the SSC engagement team.

When reporting to or receiving reports from external firm/auditor, we need to consider that the instructions and reporting will typically be different in inter-firm circumstances. For example, we may determine it appropriate to use the template on the Intranet (in which case, the instructions and report templates will need to be prepared in a format appropriate to the circumstances). For situations where OAG is not the statutory auditor and an external firm/auditor plans to place reliance on the work of the SSC team, an agreed-upon procedures engagement might be conducted in accordance with CSRS 4400.

Reasonable assurance report based on CSAE 3000

For controls work, the SSC engagement team may consider issuing an interoffice reasonable assurance report covering conclusions about the design, implementation and operating effectiveness of controls at the SSC. Examples of the circumstances where a reasonable assurance report based on CSAE 3000 may be more efficient include the following:

• Audit work performed by the SSC engagement team will be used primarily for a large number of statutory audits, rather than primarily for a group financial statement audit;

• A large number of internal controls operate centrally at the SSC and a large number of component / statutory engagement teams will use the SSC engagement team’s work to obtain audit evidence about the design, implementation and operating effectiveness of the controls.

Use of a reasonable assurance report based on CSAE 3000 would only be appropriate if the preconditions for an assurance engagement specified in CSAE 3000.24 are present. When we plan to use a reasonable assurance report based on CSAE 3000, SSC management will need to assume responsibility for preparing the risk and controls matrix, including control objectives, and will need to make a statement about the design, implementation and operating effectiveness of controls, and this would need to be clearly stated in the report. This may preclude use of a reasonable assurance report when SSC management are not able to make an explicit statement relative to the effectiveness of internal controls. The SSC engagement team is responsible for determining whether they have a sufficient basis to provide a reasonable assurance report based on CSAE 3000.

To enable the group and component engagement team to use the work, the report will need to be sufficiently detailed to allow those teams to understand the scope and results of the SSC audit work and restrictions on the use of the report.  Include in the report

1. The controls matrix, including identification of specific control objectives that were the basis for the SSC engagement team’s evaluation and testing of the design, implementation and operating effectiveness of internal controls;

2. Nature, timing and extent of the controls work and detailed results of the work performed; and

3. Report exceptions clearly, indicating the test performed and details of the exception, including population subject to testing, and sampling approach.

As explained above, the group and component engagement teams are responsible for evaluating sufficiency of the SSC audit work performed for the group and component / statutory reporting purposes, as appropriate, in line with the requirements and guidance of CAS 600 (taking into account materiality, assertions addressed and other relevant factors). Component statutory engagement teams need to consider whether the population used by the SSC engagement team for testing of controls and the extent of that testing are sufficient for statutory reporting purposes. Also, as explained above, the evaluation of design, implementation and operating effectiveness of internal controls needs to be considered at the financial statement level as a whole; therefore, the conclusion of the group or component / statutory engagement team about design, implementation and operating effectiveness of internal controls as a whole will generally not be solely based on the report from the SSC engagement team.

When reporting to or receiving reports from external firm/auditor, this interoffice reasonable assurance report would not be appropriate. For reporting to external firm/auditor about controls work, we may use a specified procedures report, an agreed-upon procedures report in accordance with CSRS 4400 or, if applicable, an assurance report on controls at a service organization in accordance with CSAE 3416.