Direct Engagement Manual
COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.
12010 Direct Engagements to Report on Compliance with Specified Requirements (reports on compliance)
Dec-2022
Overview
The Canadian Standard on Assurance Engagements (CSAE) 3531, Direct Engagements to Report on Compliance, has been in effect since April 2019. CSAE 3531 covers engagements previously conducted under the CPA Handbook sections on Special Reports—Compliance with Agreements. This new standard is not expected to have a big impact on direct engagements at the Office of the Auditor General of Canada (OAG). However, if the OAG decides or is asked to carry out a direct engagement to report on compliance with specified requirements (report on compliance), audit teams will need to plan, perform, and report the engagement according to CSAE 3531. CSAE 3531 supplements, but does not replace, CSAE 3001. Engagements to report on compliance with specified requirements are narrow in scope, with a sole focus on compliance with specific requirements at an identified point in time or for a specified period of time.
OAG Guidance
Direct engagements that report on compliance with specified requirements provide assurance on whether an entity has complied with specific requirements at a point in time, or for a specified period of time. A “specified requirement” is established in agreements, by specified authorities, or a provision thereof, with which the entity is required to comply. Among others, specified authorities or requirements can be found in legislation, regulations, directives, funding agreements, lease agreements, and loan agreements.
Although many of the OAG performance audits include examining at whether entities have followed requirements and auditors use legislation, regulations, or agreements as sources of criteria, the audits would not be automatically considered as engagements that report on compliance with specified requirements. Reporting on compliance with requirements is generally not the sole purpose of the performance audits, as the audits would also include an examination of whether government programs are being managed with due regard for economy, efficiency, and environmental impact, and whether there are measures in place to determine their effectiveness. Similarly for special examinations, the work may include an assessment of a specific authority, but the objective is not solely to report on compliance.
CSAE 3531 includes illustrations of reports on compliance. A compliance report is typically about 500 words, where the opinion (conclusion) of whether the entity has complied with the requirements is stated. In contrast, a performance audit or special exam usually contains many paragraphs, with contextual information, observations, findings, recommendations, and a conclusion.
At the end of this section, see two examples of when CSAE 3531 could apply.
Audit teams are encouraged to contact Audit Services before they decide whether their audit is a direct engagement that reports on compliance with specified requirements that should be conducted under CSAE 3531. To make their decision, audit teams should consider the purpose of the engagement, the needs of the entity, and the users of the compliance report.
Differences between a performance audit and a report on compliance, and other considerations
The Office’s Direct Engagement Manual and System of Quality Management apply to direct engagements to report on compliance with specified requirements. There are, however, some differences and additions required by CSAE 3531 which are outlined below.
Purpose of the engagement
CSAE 3531 requires audit teams to express a conclusion about whether the entity complied with the specified requirements, in all significant respects. The objective of a direct engagement under CSAE 3001 is to report whether the underlying subject matter conforms with the applicable criteria.
Risk assessment
Similarly to CSAE 3001, CSAE 3531 requires that the team obtains an understanding of the entity and its environment during the planning phase. For CSAE 3531, this means that the team must also learn about the specified requirements and make inquiries concerning how the entity monitors their compliance. The necessary procedures to obtain an understanding of the entity and its environment would not be that different from those in other direct engagements. They would, however, have to be sufficient to be able to identify areas / risks of non-compliance with the specified requirements. An understanding of the entity’s internal controls is part of the understanding of the entity and its environment and will enable teams to identify areas / risks of non-compliance and create a basis for designing and performing procedures. Professional judgment is needed to determine which controls are relevant in the engagement circumstances and how this understanding will be obtained.
Audit objective
Under CSAE 3531, the objective of a direct engagement to report on compliance with specified requirements is to obtain reasonable assurance (or limited assurance, as appropriate) about whether an entity complies with specified requirements at a point in time (for example, as at the year-end of the entity), or for a specified period of time (for example, the fiscal year of the entity). The audit objective should be expressed in terms of the conclusion the audit is expected to draw regarding the entity’s compliance with the specified requirements.
Criteria
Under CSAE 3531, criteria are benchmarks used to measure or evaluate the entity’s compliance with the specified requirements. CSAE 3001 defines criteria as the benchmarks used to measure or evaluate the underlying subject matter. As such, in a direct engagement to report on compliance with specified requirements, the criteria should not simply be a restatement of the requirements, but should define how the auditor will know whether the requirement is met. For example, if regulations specify that an entity must provide services in a timely manner, then the audit team would need to identify which services and what a timely manner means. The team could develop a criterion such as the following: Entity ABC has provided service ABC within a month of receiving a complete application. This example requires the audit team to interpret the requirements, since they were not defined.
If specified requirements require significant interpretation, CSAE 3531 requires that audit teams develop the interpretation with relevant parties: the user of the report (who, in some circumstances, may be a regulator) and the entity’s management. The audit team must also seek acknowledgement from management that the interpretation is suitable.
Written representations
An engagement conducted under CSAE 3531 requires additional written representations from the entity’s management from those required by CSAE 3001. In addition to the written representations required by CSAE 3001, the audit team shall request the following representations from the entity’s management:
(a) Acknowledging management’s responsibility to comply with the specified requirements;
(b) Acknowledging management’s responsibility for such internal control over compliance with the specified requirements as management determines is necessary;
(c) Stating whether management has performed an evaluation of the entity’s compliance with the specified requirements;
(d) When applicable, stating management’s responsibility for significant interpretation of the specified requirements and management’s acknowledgement that the interpretation is suitable;
(e) Stating that the criteria used in the engagement are suitable;
(f) Stating that management has disclosed any communications from legislative authorities or counterparties to agreements concerning possible non-compliance with the specified requirements, including communications received between the end of the period addressed in the written statement and the date of the practitioner’s report; and
(g) Stating that management has disclosed any known non-compliance with the specified requirements occurring during the period or subsequent to the period for which, or date as of which, the practitioner concludes.
Non-compliance
As soon as practicable, the audit team shall make the entity’s management aware of significant non-compliance that has come to the practitioner’s attention. For example, instances of non-compliance that may be indicative of unlawful acts or fraud should be brought to the entity’s attention. This means that this information would be shared with the entity even before a draft report on compliance is ready.
Reporting
The conclusion of a direct engagement to report on compliance with specified requirements shall express whether the entity complied with the specified requirements, in all significant respects.
Audit teams are encouraged to refer to the report example in CSAE 3531 to draft their report on compliance. A direct engagement to report on compliance with specified requirements needs to include elements that are in addition to those required under CSAE 3001. The report on compliance needs to include the identification or description of the specified requirements and significant interpretations, if any; a description of the entity management’s responsibility for the entity’s compliance with the specified requirements; a statement that the practitioner believes the evidence obtained is sufficient and appropriate to provide a basis for the practitioner’s opinion, and a statement that the practitioner does not provide a legal opinion of the entity’s compliance with the specified requirements.
Two examples of when CSAE 3531 could apply
Example 1—An engagement where the sole focus and objective would be to determine whether an entity provided services as quickly as the circumstances permit according to the requirement in regulations would be an example of a situation where a report on compliance could be considered. In this case, the intent would be to conclude on whether the entity complied with this specific requirement without looking at other issues.
Example 2—In 2005, the “follow the dollar” mandate was inserted into the Auditor General Act, allowing the OAG to audit recipients under a federal funding agreement (excluding other levels of government) that had received at least $100 million in funding over a five-year period. In 2006, however, amendments under the Federal Accountability Act extended the OAG’s mandate to recipients that had received $1 million or more in funding over a five-year period. This amendment gave the Auditor General the powers, at his discretion, to inquire into the use of federal grants, contributions, or loans, even when they are transferred outside government. Consequently, the OAG could decide or the government could ask the OAG to conduct such an engagement on recipients.
This engagement could be a direct engagement to report on compliance with specified requirements if the goal of the engagement was solely to provide assurance as to whether the recipient complied with the requirements set out in a funding agreement. For example, the government provides funds through transfer payment agreements to private companies or non-profit organizations (the recipients). Those funding agreements include requirements that recipients must respect in order to receive the funds. In a direct engagement to report on compliance with specified requirements, the audit team could audit whether a recipient did what it was supposed to do according to the funding agreement.