Annual Audit Manual

COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.

6056 Using controls evidence obtained in prior audits
Sep-2022

In This Section

Considerations when deciding whether to rely on controls evidence obtained in prior audits

Three year rule for controls testing

Guidance specific to Legislative Auditors

Considerations when deciding whether to rely on controls evidence obtained in prior audits

CAS Requirement

In determining whether it is appropriate to use audit evidence about the operating effectiveness of controls obtained in previous audits, and, if so, the length of the time period that may elapse before retesting a control, the auditor shall consider the following (CAS 330.13):

(a) The effectiveness of other components of the entity’s system of internal control, including the control environment, the entity’s process to monitor the system of internal control, and the entity’s risk assessment process;

(b) The risks arising from the characteristics of the control, including whether it is manual or automated;

(c) The effectiveness of general IT controls;

(d) The effectiveness of the control and its application by the entity, including the nature and extent of deviations in the application of the control noted in previous audits, and whether there have been personnel changes that significantly affect the application of the control;

(e) Whether the lack of a change in a particular control poses a risk due to changing circumstances; and

(f) The risks of material misstatement and the extent of reliance on the control.

If the auditor plans to use audit evidence from a previous audit about the operating effectiveness of specific controls, the auditor shall establish the continuing relevance and reliability of that evidence by obtaining audit evidence about whether significant changes in those controls have occurred subsequent to the previous audit. The auditor shall obtain this evidence by performing inquiry combined with observation or inspection, to confirm the understanding of those specific controls, and (CAS 330.14);

(a) If there have been changes that affect the continuing relevance of the audit evidence from the previous audit, the auditor shall test the controls in the current audit.

(b) If there have not been such changes, the auditor shall test the controls at least once in every third audit, and shall test some controls each audit to avoid the possibility of testing all the controls on which the auditor intends to rely in a single audit period with no testing of controls in the subsequent two audit periods.

If the auditor plans to use audit evidence about the operating effectiveness of controls obtained in previous audits, the auditor shall include in the audit documentation the conclusions reached about relying on such controls that were tested in a previous audit (CAS 330.29).

CAS Guidance

In certain circumstances, audit evidence obtained from previous audits may provide audit evidence where the auditor performs audit procedures to establish its continuing relevance and reliability. For example, in performing a previous audit, the auditor may have determined that an automated control was functioning as intended. The auditor may obtain audit evidence to determine whether changes to the automated control have been made that affect its continued effective functioning through, for example, inquiries of management and the inspection of logs to indicate what controls have been changed. Consideration of audit evidence about these changes may support either increasing or decreasing the expected audit evidence to be obtained in the current period about the operating effectiveness of the controls (CAS 330.A36).

Changes may affect the relevance and reliability of the audit evidence obtained in previous audits such that there may no longer be a basis for continued reliance. For example, changes in a system that enable an entity to receive a new report from the system probably do not affect the relevance of audit evidence from a previous audit; however, a change that causes data to be accumulated or calculated differently does affect it (CAS 330.A37).

Three year rule for controls testing

CAS Requirement

If there have not been such changes, the auditor shall test the controls at least once in every third audit, and shall test some controls each audit to avoid the possibility of testing all the controls on which the auditor intends to rely in a single audit period with no testing of controls in the subsequent two audit periods (CAS 330.14(b)).

If the auditor intends to rely on controls over a risk the auditor has determined to be a significant risk, the auditor shall test those controls in the current period (CAS 330.15).

CAS Guidance

The auditor’s decision on whether to rely on audit evidence obtained in previous audits for controls that (CAS 330.A38):

(a) have not changed since they were last tested; and
(b) are not controls that mitigate a significant risk,

is a matter of professional judgment. In addition, the length of time between retesting such controls is also a matter of professional judgment, but is required by paragraph 14 (b) to be at least once in every third year.

In general, the higher the risk of material misstatement, or the greater the reliance on controls, the shorter the time period elapsed, if any, is likely to be. Factors that may decrease the period for retesting a control, or result in not relying on audit evidence obtained in previous audits at all, include the following (CAS 330.A39):

  • A deficient control environment.
  • A deficiency in the entity’s process to monitor the system of internal control.
  • A significant manual element to controls.
  • Personnel changes that significantly affect the application of the control.
  • Changing circumstances that indicate the need for changes in the control.
  • Deficient general IT controls.

When there are a number of controls for which the auditor intends to rely on audit evidence obtained in previous audits, testing some of those controls in each audit provides corroborating information about the continuing effectiveness of the control environment. This contributes to the auditor’s decision about whether it is appropriate to rely on audit evidence obtained in previous audits (CAS 330.A40).

OAG Guidance

Overall Considerations

It may be the practice on some engagements, in the absence of change and significant risks, to rotate testing of controls, particularly information processing controls, among systems/applications from year to year. If such an approach is to be adopted, we consider carefully how we have obtained evidence of the continued operation of controls in systems where we are not performing tests in the current year. This might include, for example, the results of work to confirm the absence of change, continued testing of Information Technology General Controls, and tests of management’s process to monitor the system of internal control.

We would ordinarily test at least some controls within each business process where we plan to rely on controls. However, in some circumstances, where we have obtained evidence from our understanding of controls that there is no change, we may decide to rotate controls testing on a business process basis, e.g., test controls within some processes in the current audit and test other processes next year. It would generally be inappropriate to completely rely on prior year testing for a business process if:

  • there are higher risks associated with that business process;
  • when there is a significant manual element to the process; or
  • if there are weak entity level controls or exceptions identified in prior year tests.

We perform a combination of procedures that encompass inquiry, observation and examination to obtain evidence that manual controls tested in the prior year have not changed and continue to be in place. The extent of these procedures would be less than the testing that would be needed to fully test the controls again in the current year audit.

In addition to the factors listed in CAS 330.14, consider the significance of the assertions involved, the specific controls that were evaluated during prior audits, the degree to which the effective design and operation of those controls were evaluated, the results of the tests of controls used to make those evaluations, and the evidence about design or operation that may result from substantive tests performed in the current audit. For example, the reasons for any misstatements identified through substantive testing need to be evaluated to determine whether they may be indicative of ineffective internal controls.

Changes

Changes reduce the assurance we can derive from prior audit experience. Therefore we consider

  • changes in the entity’s business, industry and regulatory environment, strategy, control environment, management personnel or structure, and the underlying risks, including the risk of fraud; and
  • changes in systems and technology, and the processes and controls management uses to get assurance.

Accordingly, a key focus during the controls evaluation is to properly identify and react to change. See OAG Audit 5030 for further guidance on understanding the entity’s system of internal control to evaluate whether controls at the entity have changed.

Where there are significant changes in the entity’s business, environment, risks and controls, we apply controls evaluation procedures with regard to such changes. The precise consequences of the change are identified and audit work planned accordingly, rather than adopting an unfocused increase in work in all areas. For example, if we identified that a new sales order processing system had been introduced at the beginning of the period, this would be a significant change that would impact both manual and automated controls, rendering evidence from prior years irrelevant for the current period. Therefore, we consider the impact on management information, and controls performed by management over sales.

The longer the time elapsed since the testing of the control’s effectiveness, the less assurance the results of prior years’ work may provide with regard to operating effectiveness in the current year. At a minimum, we test the operating effectiveness of the controls on which we intend to rely at least every third year, but there may be cases where we decide to test the operating effectiveness of unchanged controls more frequently than every third year. Factors that may decrease the period for retesting include:

  • Identified deficiencies in the entity’s system of internal control or ITGCs.
  • The controls being relied on are manual controls. Note that not all manual controls are required to be retested every period. Routine, transaction-level manual controls performed in a stable environment, combined with consideration of other factors noted above may allow for reliance on previous period testing. Conversely, complex, judgmental manual controls addressing risk areas at the higher end of the normal continuum may not be good candidates for the relying on previous period testing.
  • The higher the risk of material misstatement, or the greater the reliance we place on controls, the shorter the time elapsed is likely to be.

The following diagram illustrates considerations for determining whether to test in the current year:

Exhibit—text version

This flow chart shows the process an auditor or audit team should follow to decide whether to rely upon audit evidence about the operating effectiveness of controls obtained in previous audits. The first question in the process is: Is it a control over a significant risk? After the question is the reference to Canadian Accounting Standard CAS 330.15. The auditor answers either Yes or No to this question.

If the auditor answers Yes, the next step is to Test in the current year. If the auditor answers No, the next step is to ask the question: Have we tested the control in the previous two years? After that question is the reference to CAS 330.14(b).

If the auditor answers No to the question of testing in the previous two years, the next step is to Test in the current year. If the auditor answers Yes to the question of previous testing, the next step is to Consider whether to test in the current year. This last step includes three questions:

  • Any changes (CAS 330.14)?
  • Factors indicating need to test (e.g. complex manual control)?
  • Necessary to meet requirement to test some controls each year (CAS 330.A39)?

View actual size

Because of their pervasive effect on information processing controls, we need to be more cautious about using audit evidence obtained in prior periods regarding the continued operating effectiveness of ITGCs. While it may not be necessary to test the operating effectiveness of every ITGC each year, we consider the extent of our intended reliance on automated information processing controls and our planned approach for testing the automated controls when determining the nature and extent of evidence needed about the operating effectiveness of ITGCs. For example, when our approach contemplates high reliance on numerous automated information processing controls based on prior year evidence, at least relevant program change controls would ordinarily be tested in the current period to obtain sufficient evidence that the information processing controls have not changed.

Automated, Manual and IT Dependent Manual Controls

Where we are using audit evidence obtained in a prior year audit, we obtain evidence that manual information processing controls tested in the prior year have not changed and continue to be in place. Consider the following factors, among others that may be relevant, when deciding whether to use audit evidence about the operating effectiveness of controls obtained in previous periods during the current year audit. Use judgment in considering the factors. Not all factors are equally relevant to the decision of whether or not to rely on the previous period testing for an individual control:

Automated, manual and IT dependent manual controls
The significance of the risk of material misstatement. Using controls evidence obtained in prior periods is only applicable to controls responding to normal or elevated risks. A control in the control activities component that responds to a significant risk is tested in each year we plan to rely on it, as per CAS 330.A38.
The level of reliance on the control. The higher the reliance required on the control the more judgment is required in the suitability of relying on controls evidence obtained in prior periods.
The strength of the control environment and the entity’s process to monitor the system of internal control. If it has been concluded that the control environment and the entity’s process to monitor the system of internal control is strong then this may provide an environment where the controls continue to operate effectively.
The changing circumstances that indicate the need for changes in the control. Should there be significant change to the operation of the control then it may not be possible to place reliance on evidence obtained in prior audits as detailed within CAS 330.14(a). Additionally, if there have been changes in the volume or nature of transactions that might adversely affect control design or operating effectiveness, relying on previous period testing may not be appropriate.
The nature, timing, and extent of procedures performed in previous audits. The more robust the testing in the prior periods (e.g. reperformance vs. observation), the more likely we can rely on previous period testing.
The results of the previous years’ testing of the control. If we concluded the control was designed and operating effectively in prior years relying on previous periods testing may be appropriate, whereas if we found design or operating deficiencies, this approach may not be appropriate.
The nature and materiality of misstatements that the control is intended to prevent or detect. The more material a potential misstatement associated with the operation of the control, the less likely we can rely on previous period testing.
Automated controls only
The effectiveness of the controls in the IT environment, including controls over application and system software acquisition and maintenance, access controls and computer operations. If we determine that those controls remain effective and provide sufficient evidence that automated controls have not changed, testing of the automated control in the subsequent period may not be necessary (testing would need to be performed at least every three years in accordance with CAS 330). If we determine that the controls over IT are less effective, we consider the potential impact on the ongoing reliability of automated controls in our audit and obtaining the assistance of an IT audit specialist.
The auditor’s understanding of the nature of changes, if any, on the specific programs that contain the controls. The more the significant the changes made to these programs the higher the likelihood that testing will be required in the current audit period.
The nature and timing of other related tests. Should other tests indicate that the automated control may not be operating effectively then this may be taken into consideration when concluding on rotating testing of the detailed control activity.
The consequences of exceptions associated with the information processing control that was benchmarked. The higher the risk associated with the control, the more likely testing will be required in the current audit period.
The sensitiveness of the control to other business factors that may have changed. The more the significant the changes made these business factors the higher the likelihood that testing will be required in the current audit period.
Manual and IT dependent manual controls only
The presence of a significant manual element in the process. It would generally be inappropriate to completely rely on prior year testing for a business process if there is a significant manual element to the process.
Personnel changes that significantly affect the application of the control. Should there be significant change to the operation of the control then it may not be possible to place reliance on evidence obtained in previous audits as detailed within CAS 330.14(a). Additionally, the competence of new personnel performing the control may impact our decision to rely on evidence obtained in previous audits.
The effectiveness of the ITGCs. Where controls are IT dependent then consideration of the effectiveness of the ITGCs impacting the control need to be considered.

Documentation

Use judgment in determining what information needs to be included in the current year audit file. In order to evidence the consideration of the prior year audit evidence about the operating effectiveness of controls, we typically include the results of the prior year testing in the current period’s workpapers, as well as documentation of our current period evaluation of the sufficiency of the procedures.

Guidance specific to Legislative Auditors

OAG Guidance

Typically, the scope of performance audits does not include issues directly related to financial statements audits. As such, financial auditors will rarely use performance audit work as evidence over the operating effectiveness of controls. However, the information in the performance audit file could be useful, to some extent, at the planning phase.

On the other hand, financial auditors could use information gathered during the special examination of a Crown corporation to design their controls testing and, sometimes, as evidence about the operating of controls. For example, the work done on the information technology system could be used to better understand and assess the ITGCs or the controls put in place by the entity when implementing a new information system.

In all cases, financial auditors should ensure that the work performed in other audit products responds to their objectives, to risks of material misstatement in the financial statements, and that the number of tests as well as the population used for sampling and period covered are appropriate.

Auditors will document the rationale of the decision to use evidence obtained in other audit products and how this information meets their objectives.