Annual Audit Manual
COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.
3102 Involvement of IT Audit
Sep-2022
CAS Guidance
The entity’s use of IT and the nature and extent of changes in the IT environment may also affect the specialized skills that are needed to assist with obtaining the required understanding (CAS 315.A55).
When an entity has greater complexity in its IT environment, identifying the IT applications and other aspects of the IT environment, determining the related risks arising from the use of IT, and identifying general IT controls is likely to require the involvement of team members with specialized skills in IT. Such involvement is likely to be essential, and may need to be extensive, for complex IT environments (CAS 315.A171).
OAG Policy
Complex IT Environment
If the entity has a complex IT environment, IT Audit shall be involved in the audit, unless the engagement leader and the IT Audit jointly conclude that no specialized skills are required, beyond those possessed by the engagement team, to identify, assess and execute procedures that address the IT risks relevant to the audit [Sep‑2022].
Moderately complex IT Environment
If the entity has a moderately complex IT environment, IT Audit shall be involved in the audit, unless the engagement leader concludes, with consideration of advice from IT Audit, that no specialized skills are required, beyond those possessed by the engagement team, to identify, assess and execute procedures that address the IT risks relevant to the audit [Sep‑2022].
Where IT audit is involved in the audit:
-
The planned involvement of the IT Audit Team shall be adequately documented in the IT Audit Planning Memorandum and approved by the engagement leader and a member of the IT Audit Team.
-
The engagement leader shall ensure that a member of the IT Audit Team attends team meetings where the strategic audit approach or chosen sources of audit evidence are being discussed [Sep‑2022].
Whenever the audit strategy relies on IT dependent sources of evidence for which the information therein cannot or will not be verified for reliability by the engagement team, the IT Audit Team shall be involved in assessing the operating effectiveness of relevant IT general controls that support the IT dependent sources of evidence [Sep‑2022].
OAG Guidance
The level of IT Audit involvement will depend on:
- the specialized skill that are needed to understand the entity’s IT environment, identify risks from the use of IT, identify IT controls and develop and execute the audit plan
- the assessed complexity of the IT environment
- the extent to which the core audit team members have some or all of the necessary specialized skills
Consider consulting IT Audit at the planning stage of the engagement, so that the specialist can help the core audit team in assessing the complexity of the IT environment and determining the appropriate level of their involvement in understanding the entity’s IT environment, identifying and assessing risks arising from the use of IT, identifying IT controls, and developing and executing the audit plan. IT Audit may be engaged to fulfill a consulting, coaching and/or completion role on the engagement and such roles may vary for different applications on the same audit (Refer to OAG Audit 3101 for explanation of each of these three specialist roles). For example, IT Audit may be consulted, as needed, by the core audit team for a non‑complex commercial software (“off‑the‑shelf” application) whereas they may be engaged to complete the work on a more complex application.
When IT Audit is involved in the engagement it is important that the core audit team and IT Audit team members work in a coordinated way, and that the work done and conclusions drawn by IT Audit are discussed and integrated into the audit process. Early communication and coordination between the core audit team and IT Audit helps to prevent unexpected changes in our testing approach late in the engagement. For example, if the core audit team performed their procedures assuming ITGCs were operating effectively but during the final stages of the audit, when reviewing the work performed by IT Audit, realized that ITGC deficiencies were identified, it may be necessary to change the nature and extent of planned substantive procedures. This late realization may cause challenges for timely completion of the engagement and/or give rise to unexpected issues late in the engagement. See OAG Policy above on involvement of IT Audit on an engagement.
The requirement to involve IT Audit in an engagement with a complex and moderately complex IT environment (unless it has been agreed that specialized skills beyond those possessed by the core engagement team are not required) does not necessarily mean that all IT applications need IT Audit involvement. IT Audit and core audit team need to agree on the level of IT Audit involvement for each IT application. For example, IT Audit will typically be involved in the audit of an entity with a complex IT environment that includes a significant volume of data, interfaced applications and the use of emerging technologies. The same entity may also have a non‑complex, standalone (e.g., no interfaces with other applications) application for which the core audit team has the skill necessary to assess and execute procedures that address the IT risks relevant to the audit without involvement of IT Audit. See OAG Audit 5034 for example related to complex IT environment with non‑complex IT applications.
The following table provides some examples of when and how IT Audit may be involved for each of the three complexity levels of IT environments defined in OAG Audit 5034:
|
Complexity of IT Environment |
Examples of IT Audit involvement (Refer to OAG Audit 3101 for further considerations and guidance regarding the responsibilities of specialists) |
|
Complex |
|
|
Moderately Complex |
|
|
Non‑complex* |
|
* While there is no IT Audit involvement required by OAG Policy when the entity has a non‑complex IT environment, IT Audit can still enhance our understanding of how risks arising from the use of IT may impact our audit and/or provide advice on developing an effective audit response to these risks.
The decision to not involve IT Audit personnel in an audit of a complex IT environment must be made jointly with the engagement leader and IT Audit. The decision to not involve IT Audit personnel in an audit of a moderately complex IT environment must be made with input from IT Audit. The rationale for these conclusions are to be included in the planning documentation. These conclusions may take into account not only the specialized skills of the core engagement team, but also the complexity of the applications and other aspects of the IT environment giving rise to IT risks and the approach planned for obtaining audit evidence to address those risks..
If there have been no significant changes in the characteristics of the entity’s IT environment (Refer to OAG Audit 5034) since a joint conclusion (for a complex IT environment) or a conclusion with IT Audit input (for a moderately complex IT environment) was reached that involvement of IT Audit was not necessary, the engagement leader may elect, in the subsequent audit period(s), to make the determination whether specialized skills, beyond those possessed by the core engagement team, are required to identify, assess and execute procedures that address the IT risks relevant to the audit, without further input from IT Audit. In determining whether significant changes have occurred, consideration is to be given to both the current period changes as well as the accumulation of non‑significant changes over the period of time since the joint conclusion was reached that IT Audit involvement was not necessary. The longer the period of time since the joint conclusion was reached, the more likely it is that non‑significant changes will accumulate to a significant change that requires a reassessment of the need for IT Audit involvement.
The rationale for this conclusion, including consideration of whether there have been any significant changes in the IT environment since the initial conclusion, is to be included in the planning documentation.
In planning an audit that includes the involvement of IT Audit, the engagement leader and the engagement IT Audit personnel typically agree on matters such as:
-
The level of IT Audit involvement, which will depend on the specialized skills that are needed to understand the IT environment, identify risks arising from the use of IT and understand the IT controls that address such risks
-
IT related issues and risks to be given particular attention
-
IT Applications in scope that require IT Audit involvement
-
Expectations for IT Audit involvement in key team and client meetings, where applicable
-
Cybersecurity risk assessment and the extent of the IT Audit involvement in responding to cybersecurity risks (see further guidance related to cybersecurity in OAG Audit 5035.2)
-
The testing plan and resource allocation for ITGCs, automated controls, and automated calculations and other relevant IT Dependencies
-
The extent to which the engagement IT Audit personnel and/or the engagement leader will supervise and review the work performed
-
How IT Audit and core audit personnel will review the planned audit response where internal control deficiencies are identified
-
How IT control deficiencies identified will be assessed and reported to the core audit team, and, where applicable, to management and those charged with governance
Although the engagement leader has the overall responsibility for determining the team roles and responsibilities, including the use of IT Audit personnel on the audit, if the engagement IT Audit personnel has a difference of opinion about the decision of the engagement leader as to the level of involvement necessary, follow the guidance in OAG Audit 3082 for resolving those differences.
See OAG Audit 5034 for guidance on assessing the complexity of the IT environment, including some examples of different levels of complexity.
See OAG Audit 3101 for guidance on documentation of work performed by specialists in accounting or auditing, including the use of technology tools, as part of an audit.
The conclusion reached and the rationale for IT Audit specialist’s involvement is documented in the IT Audit Planning Memorandum.OAG Guidance
IT Audit specialists working on audit engagements need to be aware of rotation guidelines relevant to audits. Currently, there are no specific mandatory rotation guidelines for IT Audit specialists because they will depend on the role the IT Audit specialist fulfills on the audit. IT Audit specialists evaluate their role in the engagement and consider independence and/or regulatory guidance as well as OAG Audit 3031 to determine if they are subject to rotation.