Report on a Review of the Annual Audit Practice—Practice Reviews Conducted in the 2013–14 Fiscal Year
Report on a Review of the Annual Audit Practice—Practice Reviews Conducted in the 2013–14 Fiscal Year
Table of Contents
- Results of the Reviews
- Appropriateness of the audit reports
- Compliance with the System of Quality Control and process controls
- Good practices
- Main observations
- Difficulty in evaluating and documenting the design and implementation of relevant controls and other related observations
- Lack of consistency in carrying forward risks and linking them to the audit strategy during audit planning
- Lack of evidence of the nature, extent, and timeliness of review by senior management in the audit file
- Other observations
- Considerations for the Practice
- Appendix A—System of Quality Control Elements (Annual Audit)
- Appendix B—System of Quality Control Elements and Process Controls Reviewed
1. The Office of the Auditor General conducts independent audits that provide objective assurance, advice, and information to Parliament, territorial legislatures, governments, boards of directors, and Canadians alike. The Office has several product lines, including performance audits, annual audits, and special examinations.
2. Annual audits include audits of the summary financial statements of the Government of Canada and the three northern territories, and of the financial statements of Crown corporations and other entities. They are performed in accordance with Canadian Auditing Standards. The objective of annual audits is to provide an opinion on whether financial statements are presented fairly, in accordance with the applicable financial reporting framework. Where required, the auditor also provides an opinion on whether the transactions examined comply, in all significant respects, with the legislative authorities that are relevant to a financial audit.
3. The Practice Review and Internal Audit team conducted practice reviews of seven selected annual audits that were reported in 2013. This work was done in accordance with the monitoring section of the Canadian Institute of Chartered Accountants (CICA) Handbook—Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance Engagements (CSQC 1)Footnote 1. It was also done in accordance with the Office’s 2013–14 Practice Review and Internal Audit Plan, which was recommended by the Audit Committee and approved by the Auditor General. The Plan is based on systematic monitoring of the work of all audit principals in the Office, on a cyclical basis.
4. To meet CICA standards, the Office establishes policies and procedures for its work. These are outlined in an audit manual, a system of quality control and various other audit tools that guide auditors through a set of required steps to ensure that the audits are conducted according to professional standards and Office policies. There is a product leader at the assistant auditor general level for the annual audit product line, whose primary functions are to provide leadership and oversight for the product line and to contribute to the quality of the individual audits.
5. This report summarizes the major observations related to the practice reviews of the selected annual audits.
6. The objective of practice reviews is to provide the Auditor General with assurance that
- annual audits comply with professional standards, Office policies, and applicable legislative and regulatory requirements; and
- audit reports are supported and appropriate.
Scope and methodology
7. We planned to conduct six practice reviews of annual audits in the 2013–14 fiscal year. We conducted seven practice reviews of audit files.Footnote 2 Audit opinions had been issued for five of these audits. The other two files were components of group audits, for which opinions were not issued. The reviews were conducted on audit files for financial statements with fiscal years ending between July 2012 and July 2013.
8. Our reviews used electronic (TeamMate) and paper audit files. We reviewed documentation related to the planning, examination, and reporting of the audits. We also interviewed audit team members, engagement quality control reviewers (EQCRs), and other internal specialists, as appropriate.
System of Quality Control elements and process controls reviewed
9. We focused our work on the selected elements (Appendix A) and key process controls (Appendix B) of the System of Quality Control (SoQC) for annual audits that we considered to be of key or high risk.
10. We also looked at how the EQCRs carried out their responsibilities. EQCRs are management-level employees of the Office who provide an objective evaluation, before the auditor’s report is issued, of the significant judgments that the audit team made and of the conclusions that it reached when it was formulating the audit opinion. The EQCRs are an important part of the Office’s SoQC. They are involved in selected individual audits from the initial planning decisions to the closing of the audit file.
11. We applied one of the following ratings to each selected SoQC element of the individual audits under review:
- Compliant. Office policy requirements and applicable auditing standards were met.
- Compliant but needs improvement. Improvements are necessary in some areas to fully comply with Office policies and professional auditing standards.
- Non-compliant. Major deficiencies exist; there is non-compliance with Office policies or professional auditing standards.
12. After completing each practice review, we concluded on whether the audit opinion was supported and appropriate.
13. This report highlights the procedures performed, the observations and recommendations made, and management responses.
Results of the Reviews
Appropriateness of the audit reports
14. Overall, we found that in the five files reviewed for which audit opinions were issued, the opinions were supported and appropriate. In the two files that were part of group audits, the communications to the group auditor were supported and appropriate.
Compliance with the System of Quality Control and process controls
15. Generally, the level of compliance with the System of Quality Control (SoQC) elements was very good. One file was fully compliant with professional standards and Office policies. Six files needed improvement in at least one SoQC element. One of these six files was non-compliant because of lack of evidence of the nature and extent of the practitioner’s review.
16. There were no observations related to work of the engagement quality control reviewer (EQCR).Footnote 3
17. During our reviews of the audit files, we observed the following good practices:
- the preparation of a document that lists the risks identified during the planning phase as well as which audit risks were carried forward to various audit planning documents, such as the Audit Planning Template and Annual Audit Plan, to ensure consistency and relevance;
- the preparation of a document that tracks the application and disposition of instructions issued by the group; and
- the tracking of the assignment planning and assessment forms to ensure that they were completed and approved on a timely basis.
These documents were very useful to review the work planned and completed, and to ensure that staff was provided with appropriate direction and feedback on a timely basis.
18. Paragraphs 19 to 26 refer to the engagement performance element of the SoQC.
19. We are unable to report statistically significant practice-wide observations in this summary report.Footnote 4 Such observations require a larger sample of reviews, which will not be available until the 2014–15 fiscal year. However, we are able to report the following findings that we observed in a number of files:
- difficulty in evaluating and documenting the design and implementation of relevant controls and other related observations;
- lack of consistency in carrying forward risks and linking them to the audit strategy during audit planning; and
- lack of evidence of the nature, extent, and timeliness of review by senior management in the audit file.
20. As we noted last year, an audit team should evaluate the design and implementation of relevant controls, regardless of whether or not reliance on controls is planned. Relevant documentation should be prepared to demonstrate that an understanding of the controls put in place by management has been considered as part of the risk assessment process, and that appropriate conclusions have been reached and audit plans developed. In some instances (for the cycles and components reviewed),
- there was no evidence that the assessment was conducted appropriately, and there was no documentation to support the decision; and
- the audit team did not perform walk-throughs for certain financial statement cycles and components, and thus could not conclude on whether the controls operated as described.
21. Two of the audit files reviewed failed to properly document
- how some risks are being addressed in the audit planning template;
- the judgment associated with the significant risks that are being carried forward to the audit plan; and
- the alignment between the audit strategy, the audit planning template, and the audit work performed in the detailed file sections.
22. In two files, we noted that senior management (director and/or principal) had not performed a timely review at the planning phase of the audit including a lack of evidence of the review of the key planning documentation. In addition, one of the files lacked evidence of the practitioner involvement with the high-risk section of the file.
Validation of accuracy and completeness of the populations used for sampling
23. When using information produced by the entity or when relying on the work of an expert (such as an actuary), audit teams should evaluate whether the information is sufficiently reliable—in particular, when obtaining evidence of accuracy and completeness of the information. This evaluation was not sufficiently documented in three of the files reviewed.
Inconsistencies in documentation of the accept/reject testing
24. Two of the files reviewed had inconsistencies surrounding the results from the accept/reject testing. It was often unclear how the audit team assessed the nature of the error, which was not in line with the original definition of the exception and what the impact would be on the audit testing.
Considerations for the Practice
25. During our practice reviews of annual audits, we noted some areas where audit teams would appreciate methodological clarification.
26. One area is in the time audit teams spent on assessing the relationship with Shared Services Canada (SSC) and whether there was a need to obtain audit evidence over the services provided. Shared Services Canada provides a variety of services to many government departments and agencies. Given that all audit teams of departments and agencies may need to assess the relationship with SSC, we believe that the Office should consider if taking a centralized approach to this assessment would be more efficient.
27. For each of the seven annual audits that we reviewed, the auditor’s report was supported and appropriate.
28. While the level of compliance with Office policies and professional audit standards is high, we observed that improvement is needed in some areas, specifically
- adequate conduct of work and documentation related to evaluation of design and implementation of controls;
- better alignment of audit planning documents to risk assessment; and
- better documentation of the nature, extent, and timeliness of the practitioner’s involvement in the audit file.
29. While we note that some practitioners could make improvements in the application of some professional standards, we are making no recommendations to the Practice or to the Professional Practices Group, as the nature and extent of our observations do not yet suggest systemic or pervasive issues.
Management thanks the Practice Review and Internal Audit team for its report and agrees that the observations do not reflect systemic or pervasive practice-wide issues. As a result, management will discuss the implications of the report with those affected.
Appendix A—System of Quality Control Elements (Annual Audit)Footnote 5
Appendix B—System of Quality Control Elements and Process Controls Reviewed
Our review covers the following System of Quality Control elements:
Engagement performance. We reviewed whether the audit was planned, executed, and reported in accordance with Canadian generally accepted auditing standards, applicable legislation, and Office policies and procedures. We considered whether the Office meets its reporting responsibilities by having in place appropriate audit methodology, recommended procedures, and practice aids that support efficient audit approaches, producing sufficient audit evidence at the appropriate time.
As part of the conduct of the audit, we also reviewed audit file finalization. We determined whether audit files were closed within 60 days of the auditor’s report being given final clearance by the signatory and the financial statements being approved by the Board of Directors of the entity, or its equivalent, as required by Office policy.
We reviewed whether consultation was sought from authoritative sources and specialists with appropriate competence, judgment, and authority to ensure that due care was taken, particularly when dealing with complex, unusual, or unfamiliar issues. We also reviewed whether the consultations were adequately documented, and whether the audit team took appropriate and timely action in response to the advice received from the specialists and other parties consulted.
We reviewed whether the quality reviewer carried out, in a timely manner, an objective evaluation of
- the significant judgments made by the team,
- the conclusions reached in supporting the auditor’s report, and
- other significant matters that have come to the attention of the quality reviewer during his or her review.
We reviewed whether the work of the quality reviewer was adequately documented, and whether the audit team took appropriate and timely action in response to the advice received from the quality reviewer.
Resources. We reviewed whether the adequacy, availability, proficiency, competence, and resources of the audit team were appropriately assessed and documented.
Independence. We reviewed whether the independence of all individuals performing audit work, including specialists, had been properly assessed and documented.
Leadership and supervision. We reviewed evidence of whether individuals working on the audit received an appropriate level of leadership and direction and whether adequate supervision of all individuals, including specialists, was provided to ensure that audits were carried out properly.
- Footnote 1
Effective 1 November 2013, the CICA Board of Directors approved the renaming of the three handbooks to reflect that they are now published by the Chartered Professional Accountants of Canada (CPA Canada). Because practice reviews are conducted on products from the past, this report refers to the CICA, rather than the CPA.
- Footnote 2
Of seven practice reviews conducted, six were planned and executed in the 2013–14 fiscal year. One review, related to the 2012–13 practice review cycle, was started and completed in 2013.
- Footnote 3
Of the seven files reviewed, only one file had been assigned an EQCR.
- Footnote 4
As stated in the Practice Review and Internal Audit Plan 2013–14, we will present the statistically significant practice-wide observations in the 2014–15 Annual Audit summary report.
- Footnote 5
The standards used for audit quality at the Office level are Canadian Standards on Quality Control (CSQC 1). A quality control standard at the engagement level for annual audits is the Canadian Auditing Standard (CAS) 220 Quality Control for an Audit of Financial Statements.