Annual Audit Manual
COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.
4025 Timing of understanding and evaluation of internal controls
Sep-2022
In This Section
Extent of understanding and evaluation of internal controls prior to planning sign‑off
OAG Guidance
Before we determine the level of Expected Controls Reliance, we obtain sufficient understanding of the components of the entity’s system of internal control (including the impact of the use of IT) to be satisfied that the level chosen is appropriate to indicate the extent of further controls audit procedures deemed necessary.
Our expected controls reliance indicates the level of evidence (expressed as High, Partial or None) the auditor expects to obtain from performing tests of the client’s internal controls, including controls evidence obtained in prior audits if appropriate. The judgement takes into account both our preliminary assessment of control risk and our view on the efficiency of obtaining evidence from controls testing compared to substantive testing.
The audit working paper software allows us to document aspects of our understanding and evaluation of internal control (i.e., planning considerations) in conjunction with gather evidence procedures after we have documented our risk assessment and the reasons for doing so if we plan to use the gather evidence procedures to document our understanding and evaluation of controls in the control activities component. The audit procedures represent tasks performed by us designed either to gather audit evidence as a basis for assessing and/or responding to risk, or other to carry out audit steps that are necessary to comply with requirements. The performance of evidence gathering activities (also known as Procedure steps) collectively enables the auditor to comply with standards, draw conclusions and support the audit opinion.
Consideration |
Potential impact on expected controls reliance |
Results of previous audits that involved testing of the operating effectiveness of controls, including the nature of identified deficiencies and action taken by management to address them |
If we had tested controls for operating effectiveness in the previous audit and the results were unsatisfactory, understand the extent to which management has rectified the deficiencies. If deficiencies have not been appropriately addressed, our ability to rely on the operating effectiveness of those controls is diminished and we need to determine the impact on our current year audit risk assessment and substantive test plan. If the results of our previous period controls testing were satisfactory, we may be able to rely on those controls again without testing all of them—see OAG Audit 6056. |
The results of our current year understanding and evaluation of the control environment, entity’s risk assessment process and entity’s process to monitor the system of internal of control. The better our understanding of the effectiveness of management’s control in these areas, the better we are able to: assess risk; identify direct or indirect entity level controls that we may be able to rely on; and determine the most efficient strategy |
The control environment includes the attitudes, awareness, and actions of management and those charged with governance concerning the entity’s internal control and its importance in the entity. The effectiveness of controls cannot rise above the integrity and ethical values of the people who create, administer, and monitor them. Therefore, if we have concerns about the ‘tone at the top,’ our ability to rely on controls further down the organization is diminished and we need to determine the impact on our current year audit risk assessment and substantive test plan. The entity’s risk assessment process forms the basis for how management determines the risks they need to manage for business reasons. If that process is appropriate to the circumstances, including the nature, size and complexity of the entity, it assists us in identifying risks of material misstatement relevant to the audit. Management’s risk assessment also impacts the nature of the controls the entity implements to help mitigate risks, which in turn influences the effectiveness of controls. Whether the entity’s risk assessment process is appropriate to the circumstances is a matter of judgment. The entity’s process to monitor the system of internal control is a process to assess the effectiveness of internal control performance over time. It involves assessing the effectiveness of controls on a timely basis and taking necessary corrective actions. Management accomplishes monitoring the effectiveness of controls through ongoing activities, separate evaluations, or a combination of the two. If management is able to demonstrate the existence and degree of implementation of their process for monitoring of controls, it will increase our ability to rely on such controls. If ELCs monitor the effectiveness of other controls and are designed to identify possible breakdowns in lower‑level controls, this will impact the risk of material misstatement without being directly related to any specific assertions. They do not operate in a manner that would, by themselves, sufficiently address the risk that misstatements to the financial statement assertions exist. An example of this may be reviews and evaluations performed by an entity’s internal audit function. Our decision to test an Indirect ELC, although not required or expected, depends on our judgmental assessment of the importance of the Indirect ELCs to the effective operation of other (e.g., transaction level) controls and the extent to which we can relate those procedures to assertions. The extent to which testing Indirect ELCs impacts (i.e., reduces) the extent of further audit procedures is a matter of professional judgment. |
Knowledge of the entity’s business processes and related information system and communications. This includes the accounting system and the IT environment related to it. We obtain information from management about changes to the entity, its operations, significant business processes and related controls (including any changes in systems and controls related to IT) |
Understanding the entity’s accounting and financial reporting systems is fundamental to our assessment of risk and the design of further audit procedures. We will seek to place high reliance on controls when the entity’s systems and processes are established and experience tells us that management takes significant comfort from the reliability of the information produced by the systems and processes for everyday decision‑making. Changes to significant business processes may impact our ability to rely in different ways. We need to consider the following:
We may, depending on the circumstances of the entity, perform procedures relating to ITGCs, if, based on our understanding of the internal control components, significant business processes and indirect entity level controls over IT, we determine that a controls‑based strategy in relation to certain FSLI(s) may be appropriate. This is because, if we determine that ITGCs do not operate effectively, we need to consider the extent to which the identified deficiencies will limit our ability to place reliance on the controls the ITGCs were meant to support. This would be particularly important if we are performing a first year audit. |
Control activities |
The scope and detail of our understanding of controls in control activities component, and the timing of this work, has regard to what we have learned about the presence or absence of controls from understanding of the other components of internal control and other knowledge gained in the process of planning the audit. |
At the time of determining the strategy we may not necessarily have obtained a detailed understanding of the design of controls and established whether controls have been implemented. However, we need to have gathered enough information to understand how changes that may have occurred at the entity would impact our ability to rely on the operating effectiveness of controls, the efficiency of doing so and the impact, at least in broad terms, on our substantive test plan.
For first year audits, where we do not have previous audit experience upon which to draw, our initial understanding would likely be more detailed.
OAG Guidance
As explained in OAG Audit 4041, prior to the planning sign‑off we would ordinarily obtain an understanding of the entity's system of internal control sufficient to design further audit procedures. This understanding needs to be sufficient to determine our audit strategy and plan but would not necessarily involve an end‑to‑end walkthrough or similar procedures for each material business process.
In some circumstances we may obtain sufficient understanding of internal control prior to planning sign‑off but plan to perform further internal control evaluation procedures in addition to inquiries after the planning sign‑off. For example, during the planning phase we may perform inquiries combined with inspections of management reports that would be considered sufficient to sign off planning and plan to perform further procedures (e.g., walkthroughs or other procedures to meet the same objectives, such as observation and reperformance of controls) subsequent to planning sign‑off. This may be appropriate in situations when a single audit visit is planned at the end of the financial year and it is not practical to perform another visit solely for the purpose of evaluating internal controls.
Performing planning sign‑off sufficiently early will enable us to facilitate timely development of further audit procedures. Therefore, we need to consider if we have performed sufficient understanding of internal controls to be able to sign off planning, so that we could effectively and efficiently move forward with our engagement. However, where we plan to perform further internal control evaluation procedures after the planning sign‑off, we need to remain alert to the increased likelihood of the need to modify the audit plan as a result of the finalization of the internal control evaluation procedures.
The following factors may indicate that it is appropriate to perform internal control evaluation procedures in addition to inquiries after the planning sign‑off:
-
Results of previous audit engagements have indicated few or no control deficiencies, and management has historically taken appropriate action to address identified deficiencies.
-
Initial inquiries of management performed during the current period have indicated that there have not been any significant changes in the entity and the entity’s system of internal control (including significant business processes, information system and communication and related controls (including systems and controls related to IT or to relevant control operators)) during the current period and that no change is currently planned prior to the period‑end.
-
Results of our current year understanding and evaluation of the control environment, entity’s risk assessment process and entity's process to monitor the system of internal controls have not identified any significant control deficiencies.
-
We determine that we will be able to adequately address any potential changes to the audit strategy and plan necessitated by the results of internal control evaluation procedures after the planning sign‑off.
The following chart illustrates the factors above and summarizes when it may be appropriate to perform internal control evaluation procedures after the planning sign‑off:
The decision to execute internal control evaluation procedures after planning sign‑off is an important audit strategy decision that is to be made for each business process based on the circumstances of each engagement. We need to discuss and agree the decision with the engagement leader and document it within the planning documentation. In addition, the engagement leader and team manager will need to have an appropriate plan for completion of the procedures subsequent to planning sign‑off. Such plan would generally describe the procedures that are planned to be performed after the planning sign‑off and expected timing of their completion.
Relevant documentation can be provided in the procedure Understand and evaluate the components of the entity's system of internal control, the procedure Understand and evaluate the components of the entity's system of internal control - Control activities, the procedure Determine audit strategy and plan or other workpapers that are considered appropriate and may also be referred to in the procedure Engagement leader and team manager - Planning Sign‑off. It would generally be not necessary to mark the planning sign‑off procedure reviewed again, once the procedures have been performed. However, the engagement leader and/or team manager may consider it appropriate to re‑review the procedure Engagement leader and team manager - Planning Sign‑off, e.g., in situations when significant changes to audit strategy or plan are made as a result of the procedures performed after the planning sign‑off.