Annual Audit Manual
COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.
6055 Determine whether evidence is available for the whole period
Jun-2021
This Section
Obtain controls evidence for the entire period of reliance
Determine nature of procedures needed for intervening period
Shorter period audits and testing for remaining period—Examples
Overview
This topic explains:
- The CAS requirement in relation to testing controls for the entire period we seek to rely on
- Potential actions we could take based on the results of shorter period audit testing
- Multilocation consideration when testing controls
- Factors to consider when deciding how to test the remaining period if controls testing was done at an interim date
Obtain controls evidence for the entire period of reliance
CAS Requirement
The auditor shall test controls for the particular time, or throughout the period, for which the auditor intends to rely on those controls, subject to paragraphs 12 and 15 below, in order to provide an appropriate basis for the auditor’s intended reliance (CAS 330.11).
CAS Guidance
Audit evidence pertaining only to a point in time may be sufficient for the auditor’s purpose, for example, when testing controls over the entity’s physical inventory counting at the period end. If, on the other hand, the auditor intends to rely on a control over a period, tests that are capable of providing audit evidence that the control operated effectively at relevant times during that period are appropriate. Such tests may include tests of controls in the entity’s process to monitor the system of internal controls (CAS 330.A33).
Determine nature of procedures needed for intervening period
CAS Requirement
If the auditor obtains audit evidence about the operating effectiveness of controls during an interim period, the auditor shall (CAS 330.12):
(a) Obtain audit evidence about significant changes to those controls subsequent to the interim period; and
(b) Determine the additional audit evidence to be obtained for the remaining period.
CAS Guidance
Relevant factors in determining what additional audit evidence to obtain about controls that were operating during the period remaining after an interim period, include (CAS 330.A34):
-
The significance of the assessed risks of material misstatement at the assertion level.
-
The specific controls that were tested during the interim period, and significant changes to them since they were tested, including changes in the information system, processes, and personnel.
-
The degree to which audit evidence about the operating effectiveness of those controls was obtained.
-
The length of the remaining period.
-
The extent to which the auditor intends to reduce further substantive procedures based on the reliance of controls.
-
The control environment.
Additional audit evidence may be obtained, for example, by extending tests of controls over the remaining period or testing the entity’s monitoring of controls (CAS 330.A35).
OAG Guidance
We need evidence for the whole period on which we intend to rely. The longer the time that has elapsed since our work the less assurance that work may provide with regard to the remaining period. Additionally, the decision to rely on the effective operation of controls at or close to the period end takes on added significance if there is increased risk of management override of controls at or close to the period end.
In deciding in what areas we need to perform update testing, first consider the nature and extent of any changes in the entity’s internal control, including its policies, procedures, and personnel that have occurred subsequent to the time of the original work. The extent of changes, and the significance of the changes, influences our decision about the nature of testing for the remaining period.
Determine what additional evidence we need concerning the operation of the controls for the remaining period. This additional evidence may include inquiry or other procedures and in some circumstances, e.g., when we assess the risk associated with a control for the remaining period as low, inquiry alone might be sufficient as a roll-forward procedure.
Deciding on the nature and extent of additional testing, if any, for a given control is a matter of judgment including consideration of the factors noted in CAS 330.A34. In deciding on the specific tests needed to gain the required assurance with regard to the remaining period, consider
-
controls in the entity’s process to monitor the system of internal control, such as management’s monitoring of the effectiveness of exception report reviews. Testing such controls in the remaining period may provide evidence of the continued operation of controls in the control activities component;
-
operation of high-level controls. Testing the continued operation of controls performed by management at high levels in the organization during the remaining period may provide evidence about the effective operation of controls at lower levels, both automated and manual. These controls may be high level business performance reviews operated by senior management;
-
manual controls are more prone to mistakes and random failures than automated controls. Where we seek evidence from such controls, obtain evidence of their continued operation considering such factors as the frequency of the execution of the control, the number of people executing the control, and the number of locations at which the control is executed;
-
automated controls are not prone to mistakes or subject to random failures or deterioration over time, provided that relevant Information Technology General Controls are operating effectively. Testing the continued operation of effective monitoring of controls in the information systems and technology area during the remaining period may provide sufficient evidence about the effective operation of ITGCs over maintenance, information security and computer operations activities;
-
we may consider limiting our testing in the remaining period to inquiries about a control’s continued operation and examination of evidence indicating that the control was performed, e.g., annotated copies of reports and/or follow-up communications.
Spreading tests throughout the remaining period is not always necessary where controls are cumulative, e.g., reviewing and following up an exception report that lists items until such time as they are resolved, or the reconciliation of control accounts to the related detail. In such cases, tests that provide evidence that a control operated effectively at the year-end also may provide evidence about its operation throughout the annual period.
Shorter period audits and testing for remaining period—Examples
OAG Guidance
The following examples illustrate potential scenarios and actions we could take based on the results of the half year testing.
Example 1
The first column of the table below outlines a half year audit testing plan for a manual control. The second and third columns illustrate the testing for remaining period, which will be necessary when a) there were no changes in the control or entity's environment; and b) significant changes in the control occur in the second half of the year.
Half year audit | Update testing—no changes since the half year audit | Update testing—significant changes since the half year audit | |
---|---|---|---|
Internal Control Framework (ICF) evaluation | Sufficient and appropriate for the type and size of business. | Sufficient and appropriate for the type and size of business for the remaining half year. | Sufficient and appropriate for the type and size of business for the remaining half year. |
Prior audit experience / changes since prior audit | Controls tested in prior years with no exceptions identified. | Based on our inquiry and observation procedures, no significant changes have occurred in relation to the people, processes and systems involved in the operation of this control. | Based on our inquiry and observation procedures, there were significant changes in relation to the people, processes and systems involved in the operation of this control in September. |
Type of control | Manual Control | ||
Control addressing a significant risk | No | ||
Frequency / Occurrence of control | Daily-assumed population of 125 for half year | Daily | Daily |
Planned level of assurance | High | High | High |
Sample size for testing | 15 | 5 | 15 |
Rationale |
Given prior audit experience and results of understanding and evaluation of ICF components, we determined that sample size of 15 is sufficient to provide high level of assurance for the half year audit. This is based on our assessment of the control as relatively important to the evidence we seek to obtain, low risk associated with the control and absence of exceptions identified in prior years. We have also taken into account that an annual audit will be performed and aimed to complete most of the controls testing before the annual audit visit. A total sample size of 20 for the annual audit is expected to be sufficient in our judgment. Hence, we expect to reperform additional 5 items for the second half of the year during the annual audit visit. |
Given results of half year testing and length of the remaining period, understanding and evaluation of internal control (based on inquiries combined with other procedures), absence of changes in the control environment, we determined that sample size of 20 reperformance tests would be sufficient to provide high level of assurance for the full year. Hence, although the remaining period is quite significant, we reperform additional 5 items for the second half of the year. | Given prior audit experience and results of understanding and evaluation of internal control framework based on inquiries combined with other procedures, significant changes in the control environment, results of half year testing and length of the remaining period, we determined that sample size of 30 reperformance tests would be sufficient to provide high level of assurance for the full year. Hence, we reperform additional 15 items for the second half of the year. |
Example 2
The first column of the table below outlines a half year audit testing plan for a manual control. The second and third columns illustrate the testing for the remaining period, which will be necessary when a) there were no changes in the control or entity's environment; and b) significant changes occur in the control in the second half of the year AND the assessed risk addressed by the control changes to a significant risk in the second half of the year.
Half year audit | Update testing—no changes since the half year audit | Update testing—significant changes since the half year audit | |
---|---|---|---|
Internal Control Framework (ICF) evaluation | Sufficient and appropriate for the type and size of business. | Sufficient and appropriate for the type and size of business for the remaining half year. | Sufficient and appropriate for the type and size of business for the remaining half year. |
Prior audit experience / changes since prior audit | No changes in control operation since prior years. In the previous year the control was not tested and prior audit evidence had been relied on. The control has been selected for testing in the current year. | Based on our inquiry and observation procedures, no significant changes have occurred in relation to the people, processes and systems involved in the operation of this control. | Based on our inquiry and observation procedures, there were significant changes in relation to the people, processes and systems involved in the operation of this control in September. |
Type of control | Manual Control | ||
Control addressing a significant risk | No | No | Yes [Note: This assumes the assessed level of risk has changed to significant subsequent to the half year audit.] |
Frequency / Occurrence of control | Multiple times per day-population exceeds 250 for half year. | Multiple times per day | Multiple times per day |
Planned level of assurance | High | High | High |
Sample size for testing | 25 | 10 | 25 |
Rationale |
Given prior audit experience and results of understanding and evaluation of ICF components (based on inquiries combined with other procedures), we determined that sample size of 25 is sufficient to provide high level of assurance for the half year audit. This is based on our assessment of the control as relatively important to the evidence we seek to obtain, low risk associated with the control and absence of exceptions identified in prior years). We anticipate that we would need to test additional 10 control instances as part of the annual audit. This is based on our judgment and reflects the low risk of the control, successful prior year testing and the fact that this is a less important control. Thus, even though the length of the remaining period is quite significant, we would only test additional 10 items. |
We determined that sample size of 30 reperformance and 5 inspection tests would be sufficient to provide high level of assurance for the full year and we would test additional 10 control instances as part of the annual audit. This is based on our judgment and reflects the low risk of the control, successful prior year testing and the fact that this is a relatively important control. Thus, even though the length of the remaining period is quite significant, we would only test an additional 10 items. Hence, we would reperform and inspect an additional 5 items (i.e. 5 of each type of test, for a total of 10) for the second half of the year. As no exceptions have been identified as a result of the half year audit, no concerns regarding the evidence obtained regarding the half year audit have been raised. | Given prior audit experience and results of understanding and evaluation of internal control framework based on inquiries combined with other procedures, significant changes in the control environment, changes in the risk level, results of half year testing and the length of the remaining period, we determined that additional 25 items would need to be tested. Because of the extent of changes that occurred in the second half of the year, we effectively consider the control for the remaining period as a separate population; the sample size is on the higher end due to the change in risk level. We consider that the total of 25 reperformance would be sufficient to provide high level of assurance for the full year. Thus, we would perform additional 25 reperformance as part of the annual audit. As the changes occurred in the second half of the year and no exceptions have been identified as a result of the half year audit, no concerns regarding the evidence obtained regarding the half year audit have been raised. |
Multilocation considerations
OAG Guidance
In a centralized shared services center, with a homogeneous environment with “cookie cutter” transaction processing (lower risk), professional judgment is to be exercised when considering the need to visit sampled locations. In this environment, the controls at the location / business unit level will oftentimes be routine in nature. In such situations, we may be able to perform update testing without visiting the location/business unit through telephone inquiries of appropriate management personnel for routine controls. For update testing of more risky controls and for routine controls for which testing beyond inquiry is performed to corroborate our inquiry procedures, we may consider having the supporting documentation sent to us rather than visiting the sampled location.
In a non-homogeneous environment (higher risk) where transaction processing is performed at the location / business unit level, much of the update testing may need to be performed on-site for controls were testing beyond inquiry is considered necessary.
Example: We performed testing over the relevant controls in the accounts receivable process on Company X (with a year end date of 31 December) as of 30 September and targeted testing of accounts receivable balances at 31 October. During our year end audit procedures we considered the need to update the testing, and concluded that because of the length of time that had elapsed since we performed our interim testing, and our decision to place high reliance on these controls in planning our audit of the financial statements, that we need to perform some type of update control testing. We established the following plan for update testing: Control 1—On a daily basis, the accounts receivable clerk reconciles cash collections recorded in the subledger to the online bank records and investigates any differences over a relatively low dollar threshold. The accounts receivable clerk was responsible for this control throughout the entire year, and no exceptions were noted during our interim testing. This control is not complex and does not require a significant level of judgment. Therefore, we determined that inquiry of the accounts receivable clerk regarding the consistency of the procedures performed and any unusual occurrences during the period from 30 September to 31 December provided us with sufficient evidence that the controls continued to operate effectively. Control 2—Each month end the Controller requests a shipment report for the last three days of the period and compares the report to the current portion of the accounts receivable aging to ensure completeness and existence of the accounts receivable balance. Although this control is not particularly complex, the volume of shipments during the last week of the month is generally significant to the accounts receivable balance. In addition, by comparing the accounts receivable recorded to shipping records, the Controller is monitoring activity for any evidence of intentional misstatements to the accounts receivable balance. Because of the multiple purposes of this control and the possible implications if the control failed to operate effectively, we decided to inquire of the controller and the accounts receivable manager, and observe a few instances of the controller’s review. Control 3—Each month end the Controller, CFO, and Credit Manager review the accounts receivable aging and, as a group, determine the need for bad debt reserves for long outstanding customer balances. They utilize a variety of information, including the customer’s prior payment history and communications with the customer, the percentage of the total balance over 90 days and 120 days to total accounts receivable and year-to-date write-offs compared to the reserves. This control is highly subjective (although not complex) and has potentially significant implications to the balance sheet and income statement. Because it is a management estimate, it is also subject to potential fraud risk. For these reasons, we decided to examine the evidence of a few instances of this control in operation at year end, which included notes from the discussion of the group and records of communication with customers. If we do not identify any deficiencies during our interim phase and update procedures detailed above, we would place high reliance on controls when planning update procedures in relation to the confirmation of accounts receivable performed at 31 October. For example, in this situation we may decide to obtain a roll-forward of the accounts receivable balance from 31 October to 31 December and perform very limited testing on the amount of cash receipts recorded for the period (substantive analytical procedures or high dollar / risk-based target testing). |