2386 Independence, applicable GAAS and access considerations

Jun-2018

OAG Guidance

There are certain considerations that do not relate specifically to the methodology of audit planning and execution, but that are unique in a SSC environment and to which attention would be paid:

Monitoring work effort—The group engagement team will need to monitor requests by component teams for work to be performed by the SSC team to determine that this does not result in an unnecessary increase in total work effort. Regular communication would be encouraged between all teams with respect to progress of work against budgeted hours to avoid “surprises” upon completion of the work.

Independence and competency—GAAS and regulatory requirements in certain components may necessitate the SSC engagement team providing confirmations to group and component / statutory engagement teams regarding the independence and competency of the team performing the audit work (see OAG Audit 2328). In order to manage this process in a timely fashion, during the planning phase of the work the SSC engagement team inquires as to what confirmations will be necessary.

The SSC considers and coordinates centrally the full listing of these confirmations, and assigns an appropriate administration assistant to collate, track, and distribute appropriately required information for SSC engagement team members. Communicate and discuss any issues of potential non-compliance, however, with the respective group or component / statutory team immediately.

Group engagement teams identify all SSC engagement teams involved in the group audit including those that may not have direct reporting requirements with the group engagement team. Group engagement teams determine that SSC engagement teams are in compliance with the independence requirements of the group audit.

Applicable GAAS requirements—It is recommended that agreement be reached and explicitly documented during the planning phase as to the applicable auditing standards to be followed by the SSC team in the execution of the work. In most instances, it is expected that the work would be conducted in accordance with Canadian Auditing Standards or applicable GAAS, but if additional statutory or professional standard requirements exist, they need to be identified during the planning phase.

Use of engagement letters and representation letters—An engagement letter signed by the group engagement team might be sufficient to engage the SSC engagement team if management of the SSC does not have the responsibility for financial reporting.

In the same way as procedures for engagement letters would not change when auditing in a SSC environment, generally there is no need to alter the approach to obtaining representation letters unless the engagement team deems it necessary to obtain a separate representation letter from management of the SSC. Please note that when the SSC engagement team uses an interoffice reasonable assurance report based on CSAE 3000 to report on controls at the SSC, the SSC management will need to assume responsibility for preparing the risk and controls matrix, including control objectives. In such case it would generally be necessary to obtain a specific representation in this regard from management of the SSC regarding their responsibility for the design, implementation and operating effectiveness of the applicable internal controls.

Access to working papers—If we receive a report (e.g., in both the group and component / statutory context, audit teams receiving a memorandum on examination report from the SSC team), determine our ability to have access to the audit working papers of the reporting team if we consider that such access is required. On the assumption that the SSC work is performed properly and that there is a sufficiently detailed and clear report, it is anticipated that access to working papers would only rarely be necessary.

Best Practices

Many teams have already had several years of experience in auditing SSCs and have worked through many issues which are commonly experienced. Listed below are some of the good practices to consider when performing work in a SSC environment. These matters would be addressed in planning of the audit work at SSC’s.

• Planning and scoping—Successful sharing of evidence in a shared services environment requires all participating parties being committed to the scoping process. Further, determine that the resulting work is in sufficient detail to facilitate the execution of fieldwork. As with all audit work, detailed planning is necessary to avoid misunderstandings, inefficiencies, and exposure to the gathering of insufficient audit evidence. Time devoted to detailed scoping of controls work and substantive tests of detail in one year can be significantly leveraged in subsequent years.

Pay special attention to the challenges associated with designing and documenting the audit approach for the first year of auditing a client and/or the specific SSC. Heavier involvement of the group engagement team in planning may be needed.

• Communication within the engagement team—Preliminary discussions, documentation, and correspondence need to be clear on the definition of responsibilities and requirements of all parties. During the implementation phase of SSC, teams might consider workshops with representatives of the group, component, and SSC engagement teams to monitor progress and to reinforce the need to effectively leverage results of work performed centrally in the SSC.

• Client preparation—Preparing and educating the client may be as important as it is for other OAG teams. As our clients evolve to a centralized processing and accounting structure, engage in timely dialogue with the client to clearly understand the details of the timetable for migrating work to the SSC. This will enable engagement teams to plan their own approach effectively and mitigate the risk of misunderstandings with the client later in the audit cycle.

• Quality of documentation—Given the number of end users, the quality of documentation in the work product provided by the SSC audit team is important. Consider real-time participation from group, component, and SSC audit teams (possibly via timely conference calls to walk through results of testing) to evaluate the progress of work.

• Coordination between Core Attest team and IT Audit specialists—This is another factor relevant to all audit work, not just in a shared service environment. However, an important consideration to determine the approach to auditing in a shared service environment will be to understand the client’s plans for migration of existing IT systems or implementation of new systems, and determining the impact of those plans on our audit approach.

• Evaluation of findings—Results of testing may have different impacts for group and component teams, respectively, depending on the materiality level to which they are auditing. It is recommended that the SSC team provides sufficient details regarding any findings (e.g., magnitude of errors, existence, and degree of precision of any compensating control and results of testing that compensating control) and mitigating factors to enable all teams to interpret and evaluate the results for their own purposes.

• Understanding of budgeting arrangements—Clearly communicate budget arrangements and agree during the initial planning phase of the audit. These arrangements could also be discussed early to ensure all parties have an understanding of where work is being performed, the evidence anticipated to be provided for both consolidated and statutory audit purposes, and the correlation between the effort and the costs incurred.

• Substantive analytics—Where the group, component/statutory, or SSC engagement teams will perform analytical procedures that include information processed at an SSC, it is helpful to identify the appropriate contacts and prepare a centralized list to share with the audit teams. Further, it may be that the SSC team will need to perform the substantive analytics, depending on whether SSC management is responsible for financial statement assertions or not. When assessing the reasonableness of substantive analytics performed on the client's financial information, the SSC engagement team exercises judgment based on industry knowledge, the economic environment and corroboration of information from the other processes/personnel, etc. Without sharing this judgment and the basis upon which the team concluded that movements in accounts and balances were reasonable, it is difficult for the group / component / statutory teams to assess the results of the testing. Therefore, the basis upon which the SSC engagement team concluded that movements were reasonable, to the extent practicable, needs to be documented in the SSC working papers and communicated to the relevant teams as well. Determination as to whether the SSC engagement team or the group / component team will perform substantive analytical procedures will generally be driven by the client's organizational structure. More specifically, the procedures would generally be performed in the location at which the business analyst (or other individual) responsible for reporting and analysis of the results resides. This may be at the SSC, or it may be at a head office or local office. As part of the overall planning of the work, understand the entity’s structure and the division of responsibilities.