Annual Audit Manual
COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.
4032 Summary of comfort
Jun-2021
In This Section
Audit Planning Template: components
Overview
This section explains:
- Components of the Audit Planning Template
- Use of the SoC at the account balance or business process level
- Creating SoCs within the Audit Planning Template
- Elements of the SoC template
OAG Guidance
The Audit Planning Template has three components: In Scope FSLIs, Inherent Risk Assessment (IRA), and Summary of Comfort (SoC). We must first complete the “In Scope FSLIs” (see OAG Audit 4031) and “Inherent Risk Assessment (IRA)” (see OAG Audit 5042) sheets before completing the SoC. This section of the manual relates to the SoC, which is the last step of this template.
The following flowchart explains the purpose of the Audit Planning Template, the three components, and which manual sections to go to for guidance on each of those components.
OAG Guidance
A SoC can be used at either an account balance or business process level. Many financial statement balances are derived from transactions in a process and the linkage between the transactions and balances is important. Therefore, use judgment to determine whether it makes more sense on the engagement to use SoC sheets on a business process or balance basis, or even a combination of both. For example, a SoC could be prepared for the Revenue, receipts and receivables business process. Alternatively, a team may decide to perform a SoC for the receivables balance and another for the overall profit and loss review. Refer to OAG Audit 4031 for guidance on grouping FSLIs.
OAG Guidance
SoCs are created in the Audit Planning Template once we click the “Create and Delete Summaries of Comfort as required” button located in the “Instructions” sheet. They are based on the information entered in the “In Scope FSLIs” sheet and the “Inherent Risk Assessment (IRA)” sheet. A SoC sheet will be created for each In Scope FSLI unless FSLIs have been grouped together, in which case a SoC sheet will be created for each FSLIs grouping.
In rare circumstances, engagement teams may need to create SoC sheets for FSLIs not In Scope (e.g., for FSLIs containing particular items with specific materiality levels for which a SoC will not be automatically created). As a result, a SoC can be created once we select the box found under the Additional Summary of Comfort Required column in the “In Scope FSLIs” sheet. The SoC sheet can be used to document FSLIs that are not In Scope, including those that are insignificant and do not have related significant risks.
For both automatic significant risks, management override of controls and significant related party transactions outside the normal course of business, separate SoCs sheets are already included in the Audit Planning Template. Proper responses to these risks must be documented. For the automatic significant risks for revenues as it relates to fraud, unless that presumption is rebutted, a separate SoC will be created and proper responses to this risk must also be documented (See OAG Audit 5042).
OAG Guidance
The table below explains the elements of the SoC in further detail:
Element of SoC | Guidance |
Inherent Risk Assessment by Assertion |
The information included in this section is pre-populated based on information entered in the “Inherent Risk Assessment” sheet as it relates to an In Scope FSLI or FSLIs grouping. Risk assessment cannot be changed unless it is changed in the IRA sheet. Only significant risks are carried forward in this section of the SoC. As a result, this section will be empty and greyed out for In Scope FSLIs not associated to a significant risk. In this case, the overall conclusion by assertion at the bottom of this section will be determined as normal for all assertions. The overall conclusion by assertion is pre-populated based on the following: a) if at least one inherent risk assessment for that assertion is normal higher, the overall conclusion will be normal higher. b) if at least one inherent risk assessment for that assertion is significant, the overall conclusion will be significant. |
Expected Controls Reliance by Assertion |
Provide a summary of controls relevant to the audit of the In Scope FSLI or FSLI grouping and expected to be relied upon. We use the same numbering for each control, as in the controls matrix, to allow the reviewer to have further details on the controls and to ensure compliance with CAS 315.29, which requires the auditor to understand the entity’s control relevant to significant risks. The information included in this section should be aligned to the information documented in the Tests of Controls template. Relevant Control type: See OAG Audit 6011 for guidance. Level of automation: See OAG Audit 6011 for guidance. Testing strategy: See OAG Audit 6030, OAG Audit 6040, and OAG Audit 6056 for guidance. Nature: See OAG Audit 6052 for guidance. Timing: See OAG Audit 6055 for guidance. Extent (sample size): See OAG Audit 6053 for guidance. Level of control assurance by assertion: The options are N/A, moderate and high. Expected Controls Reliance by Assertion (bottom row): Overall conclusion on evidence from the controls by assertion. The options are High, Partial and None. If changes are made to any of the rows included in this section, this field will be reset as blank and teams will have to re-enter their selection in order to confirm the appropriate expected controls reliance. |
Planned Level of Evidence from Substantive Procedures by Assertion | The information included in this section is pre‑populated based on information entered in the two previous sections: “Inherent Risk Assessment by Assertion” and “Expected Control Reliance by Assertion.” The default values are based on the potential testing strategies options described in OAG Audit 4024. The engagement team can override this information and select a different strategy than default ones. In such cases, different messages will be prompted requiring documentation of the rationale. We use the information in this section to design the substantive procedures required for the planned level of evidence. |
Substantive Analytics |
Nature: See OAG Audit 7032 for guidance. Timing: See OAG Audit 7015 for guidance. Extent: See OAG Audit 7014 for guidance. Evidence from substantive analytics by assertion: The options are N/A, low, medium and high. |
Tests of Details |
Nature: See OAG Audit 7041 for guidance. Timing: See OAG Audit 7015 for guidance. Extent: See OAG Audit 7014 for guidance. Evidence from tests of details by assertion: The options are N/A, low, medium and high. |
Desired Level of Evidence Obtained | Once selected procedures are executed, we must select either Yes or No to indicate if the desired level of evidence was obtained for each procedure. If the answer is No, a message will be prompted requiring documentation of compensating procedures at the bottom of the SoC. If an additional procedure is performed or another control is tested, a row should be added in the SoC sheet to document it. It should be documented in red. As a result, a trail / history of planning decisions made throughout the audit is kept in the SoC sheet. Refer to OAG Audit 4051 for further guidance related to changes to the audit strategy and plan. |
Total number of audit procedures per assertion |
An automated formula calculates the number of procedures (control testing, substantive analytics, and tests of details) performed by assertion. Reviewers may relate the number of procedures to the level of inherent risk assessed for an assertion when determining if sufficient appropriate audit evidence has been obtained by assertion given the assessed level of inherent risk. For instance, if the inherent risk for a given assertion has been assessed as significant and relatively few procedures are planned or have been performed, the reviewer will consider if the procedures are sufficiently robust to provide the desired level of evidence. Alternatively, if a relatively high number of procedures are performed for an assertion with normal inherent risk, the reviewer may wish to consider if a more efficient audit strategy should be or could have been applied. |
Have we considered the strength / quality of the linkages of each procedure to each assertion? | We must select either Yes or No. This information provides an overall qualitative measure of how well the planned procedures address the inherent risks by assertion. This field will reset as blank as soon as we make a change to any of the above fields in the SoC sheet. If a No answer is selected, a warning message will be prompted and the engagement team will need to adjust planned procedures to enable them to answer Yes. |
Based on professional judgment, are the procedures outlined above sufficient and not excessive to address the assessed risks? | Based on the information documented in the previous two rows, the engagement team documents its overall conclusion as to how well the planned procedures address the inherent risks, for each assertion. This field will reset as blank as soon as we make a change to any of the above fields in the SoC sheet. |
Financial Statement Assertions—A summary of how evidence was obtained in relation to each relevant financial statement assertion provides a clear indication of whether we have sufficient appropriate audit evidence and whether additional procedures may be necessary to address a particular assertion.
Audit Procedures—The audit procedures are performed in three distinct categories: Controls, Substantive Analytics and Substantive Tests of Details. While the audit procedures will be documented within the steps, a summary of the three primary testing approaches clearly identifies if sufficient evidence has been achieved and if not, what additional category of procedures might be performed. For example, where testing of controls does not result in significant evidence obtained from controls, it would be expected that the SoC would contain more extensive substantive analytics, if practicable, and/or substantive tests of details.