Report on a Review of the Financial Audit Practice—Financial Audits Completed in the 2016–17 Fiscal Year
Report on a Review of the Financial Audit Practice—Financial Audits Completed in the 2016–17 Fiscal Year
Introduction
1. The Office of the Auditor General of Canada (the Office) conducts independent audits and studies that provide objective information, advice, and assurance to Parliament, territorial legislatures, boards of Crown corporations, government, and Canadians. The Office carries out three main types of legislative audits: financial audits, performance audits, and special examinations. Performance audits and special examinations are referred to as direct engagements.
2. Financial audits include audits of the financial statements of the Government of Canada, the three northern territories, Crown corporations, and other organizations. They are performed in accordance with Canadian Auditing Standards. The objective of financial audits is to provide an opinion on whether financial statements are presented fairly, in all material respects, in accordance with the applicable financial reporting framework. Where required, the auditor also provides an opinion on whether the transactions examined comply with all applicable laws and regulations.
3. The mission of the Practice Review and Internal Audit team is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight. The team helps the Office accomplish its objectives by offering management recommendations based on the application of a systematic, disciplined approach to evaluating and approving the design and effectiveness of risk management, control, and governance processes.
4. The team helps the Office meet its obligations under Canadian Standard of Quality Control 1 of the Chartered Professional Accountants of Canada. It does this by conducting inspections to determine the extent to which engagement leaders are complying with professional standards, Office policies, and applicable legislative and regulatory requirements when conducting their audits, and to ensure that independent auditors’ reports are supported and appropriate.
5. The team also performs its work in accordance with the Office’s most recent Practice Review and Internal Audit Plan, as recommended by the Audit Committee and approved by the Auditor General. The Plan is based on systematic, cyclical monitoring of the work of all engagement leaders in the Office.
6. To ensure that audits meet the standards of the Chartered Professional Accountants of Canada, the Office establishes policies and procedures for its work. These are outlined in the Office’s Annual Audit Manual, in its System of Quality Control, and in various other audit tools that guide auditors through the required steps. The two assistant auditors general responsible for financial audits provide leadership and oversight of the Office’s financial audit practice and contribute to the quality of individual audits.
7. This report summarizes the key observations related to the practice reviews of selected financial audits completed in the 2016–17 fiscal year.
Overview
Objective
8. The objective of practice review is to provide the Auditor General with assurance that
- financial audits comply with professional standards, Office policies, and applicable legislative and regulatory requirements; and
- independent auditors’ reports are supported and appropriate.
Scope and methodology
9. The Practice Review and Internal Audit team conducted practice reviews of six financial audits completed in the 2016–17 fiscal year and one financial audit completed in the 2015–16 fiscal year.Footnote 1 Our methodology requires that we review a selection of completed audits on a cyclical basis, including at least one engagement for each engagement leader over a four-year monitoring cycle. We used a random sampling approach to select the engagement leaders and their related files.
10. Our reviews included an examination of electronic (TeamMate) files as well as paper files, if applicable. We reviewed documentation related to the planning, examination, and reporting of the audits. We also met selected audit team members and other internal specialists, as needed, to discuss issues.
11. We reviewed all files selected in terms of the System of Quality Control (Appendix A). We focused our work on the selected elements and process controls that we considered to be key or high risk (Appendix B) in the selected audits.
Rating
12. For each audit reviewed, we rated each selected System of Quality Control element and process control as one of the following:
- Compliant. Performance is satisfactory, with minor improvement possible; the audit file is in compliance, in all significant respects, with Canadian Auditing Standards and Office policies.
- Compliant while improvements needed. Improvements are necessary in one or more areas to fully comply with Canadian Auditing Standards and Office policies.
- Non-compliant. Significant deficiencies exist; the audit does not comply with Canadian Auditing Standards or Office policies.
13. After completing each practice review, we concluded whether the independent audit opinion was supported and appropriate. We also concluded whether the audit file was compliant overall with Canadian Auditing Standards and with Office policies.
Results of the Reviews
Appropriateness of the audit reports
14. Overall, we found that the independent audit opinions were supported and appropriate in the seven files reviewed.
Compliance with the System of Quality Control elements and process controls
15. In general, the overall level of compliance with the System of Quality Control elements was good. All seven files were compliant while improvements were needed. For more information, see the Observations section.
16. It is important to note that our overall conclusion on a specific file is based on the review of all elements of the System of Quality Control. Consequently, it is possible to be non-compliant with one element of the System of Quality Control even though the overall conclusion is “compliant while improvements needed.”
Observations
Independence Confirmation form
17. For the current practice review cycle for both financial audits and direct engagements, we have performed a more detailed review of the Independence Confirmation forms.
18. The Office has established policies and procedures for independence, which are documented in both the financial audit and direct engagement practice manuals. Both manuals outline the following policy in Section 3031—Independence:
All individuals who meet the definition of an engagement team member, including internal and, where appropriate, external specialists, shall confirm their independence before commencing work on the engagement. [NovemberNov-2011]
19. Our understanding is that this policy requirement is intended to ensure that all threats to independence are identified on a timely basis so that their significance can be assessed, and so that safeguards can be put in place to reduce or eliminate all significant threats to an acceptable level.
20. We found that the seven files reviewed were not in compliance with one of the requirements of the Office’s policy on independence. We noted that engagement team members had charged time to the audit before completing their Independence Confirmation forms.
21. It is important to note that no threats to independence were identified in the files that we reviewed.
22. We reviewed more than 150 Independence Confirmation forms. Overall, we noted that more than one third of engagement team members charged time to the engagement before completing their Independence Confirmation forms. On average, these individuals charged 13 hours to the audit before they completed their forms. We identified many cases in which more than 40 hours had been charged to the engagement before the form was completed.
23. We believe that this is a systemic matter that requires one or more of the following: corrective action, changes to the Office’s policy, or changes to the Office’s procedures.
24. The Office’s Annual Audit Manual also states the following in Section 3031—Independence:
The engagement leader shall form a conclusion on team members’ compliance with independence requirements that apply to the assurance engagement. [Nov-2011]
25. To help employees interpret some of its policies, the Office has developed a document entitled Independence—Frequently Asked Questions (FAQ). Question 15 of this document is “What should be done with a completed Independence Confirmation?" The response states that a “completed Independence Confirmation must be reviewed by the engagement leader before the engagement team member commences work on the assurance engagement.”
26. We consulted with the Office’s Internal Specialist—Values and Ethics and the principal responsible for the Annual Audit Practice team to have their views on question 15 of the FAQ document. We were informed that although the policy does not require leaders to review the Independence Confirmation forms before team members commence work, the question was developed to minimize the risk that engagement leaders would delay their review and approval of the forms. The objective is to ensure that each engagement leader has taken appropriate action against potential threats to independence reported in the Independence Confirmation forms. This must be done on a timely basis.
27. In performing our reviews, we found delays in the engagement leader’s review and approval of the Independence Confirmation forms. The seven files reviewed were assessed in relation to this requirement as compliant, with improvement needed. Indeed, we noted that for two thirds of the more than 150 Independence Confirmation forms reviewed by the Practice Review and Internal Audit team, individuals had charged, on average, 29 hours to the audit before the engagement leader had reviewed and approved the forms. We found many cases in which more than 40 hours had been charged to the audit before the Independence Confirmation form was reviewed and approved.
28. We believe that this matter is also a systemic one that requires one or more of the following: corrective action, changes to the Office’s policy, or changes to the Office’s procedures.
29. Recommendation to the Financial Audit Practice. Engagement leaders should
- ensure that engagement team members confirm their independence before commencing work on an engagement; and
- confirm the independence of engagement team members by reviewing and approving each member’s Independence Confirmation form before the member begins working on an engagement.
Management’s response. Agreed. Engagement and practice leaders will work with the Annual Audit Practice team and auditors to identify and implement improvements to the process and practice of confirming engagement team members’ independence in response to these practice review observations.
30. Recommendation to Audit Services. Audit Services should assess whether changes are required to the independence confirmation process or policy, or both.
Management’s response. Agreed. Audit Services has previously identified opportunities to improve the efficiency and effectiveness of the independence confirmation process and has submitted a project proposal to Information Technology Services to improve the process through greater use of automation and the Office’s time reporting system.
In the interim, while awaiting project resources, Audit Services will evaluate whether changes could be made to the audit methodology concerning independence to improve its design and operating effectiveness.
Security of sensitive information
31. In our Report on a Review of the Financial Audit Practice—Financial Audits Completed in the 2015–16 Fiscal Year, we noted that audit staff needed to be made aware of the Office’s security policy, and that any document stored in TeamMate needed to be assessed against the policy and be labelled according to the proper security level. We are pleased to report that in our review of this year’s files, we have observed significant improvement in the application of the Office’s security policy. Only two of the seven files reviewed included documents that were not properly labelled in accordance with the Office’s security policy.
Supervision and review
32. We noted that in the area of supervision and review, five of the seven files were in compliance while improvements were needed. Our observations are summarized and discussed in the following paragraphs.
33. In two files, we noted that the audit team did not use some of the most recent templates available at the time of the audit, thereby risking non-compliance with the current Office methodology. If the audit team chooses to roll over the TeamMate file of the previous year, the engagement leader must ensure that an assessment of the impact of the changes in the methodology is performed and properly documented in the audit file to ensure compliance with the Office’s relevant methodology.
34. In one file, we saw evidence that members of senior management were involved in the audit, but we noted that many final sign-offs in TeamMate were not done in a timely manner.
35. In one file, we noted that the subsequent event procedures had been signed off in TeamMate before the date of the auditor’s report. The engagement leader must ensure that the work is being performed and documented before the audit steps are signed off.
36. In one file, we noted that the instructions for an audit step were vague and did not provide enough direction to the auditor. The Engagement Leader should ensure that the extent of the evidence to be gathered is clearly documented in the Summary of Comfort.
Experienced auditor principle
37. In one file, the audit team used a system description from another entity’s audit file. Thus, many documents were included in the file under review without proper explanation as to why those documents were placed there. The nature and extent of the audit procedures performed needed to be properly documented. In the same file, improvement was also needed in the testing of subsequent journal entries. A reference was made to a working paper for which no testing was performed after year-end. The audit team was able to provide evidence that this did not change the audit conclusion for the sections under review. We have reported that the file was in compliance while improvements were needed.
38. In two files, we noted that the quality of the working papers could have been improved in many cases. When considered individually, none of the working papers had significant issues, but together, they demonstrated that improvement was needed to ensure that the audit team properly documents the audit work carried out, according to the experienced auditor principle.
Quality Control Review
39. A quality reviewer was assigned to two of the files selected for our review. The work performed by the quality reviewers met the Office’s policy requirements.
Conclusion
40. Some financial audits we reviewed required that an independent auditor’s report be issued. In these cases, we concluded that the reports were supported and appropriate.
41. We concluded that all seven files were compliant, while improvements were needed.
Appendix A—System of Quality Control Elements
Text version
This diagram shows three sides of a cube, each side depicting aspects of the System of Quality Control.
The top of the cube shows the objectives of the System of Quality Control:
- Compliance with professional standards and applicable legal and regulatory requirements; and
- Reports issued are appropriate in the circumstances.
The right side of the cube shows the two levels of the System Quality Control:
- Firm level (Canadian Standards for Quality ControlCSQC 1)
- Engagement level (Canadian Auditing StandardCAS 220 or Canadian Standard for Assurance EngagementsCSAE 3001)
The left side of the cube shows the elements of the System of Quality Control:
- leadership,
- ethics and independence,
- acceptance and continuance,
- human resources,
- engagement performance, and
- monitoring
Appendix B—System of Quality Control Elements and Process Controls Reviewed
Our review covers the following System of Quality Control elements:
- leadership,
- ethics and independence,
- acceptance and continuance,
- human resources, and
- engagement performance.
Leadership. We reviewed whether the engagement leaders ensured that the audits were carried out in compliance with Office policies, professional standards, the System of Quality Control, and applicable legal and regulatory requirements.
Ethics and independence. We reviewed whether the engagement leaders ensured that the independence of all individuals performing audit work, including specialists, had been properly assessed and documented.
Acceptance and continuance. For initial or recurring engagements, we reviewed whether engagement leaders assessed that the team had the necessary competence, capability, time, and resources; that the team complied with relevant ethical requirements; and that it considered management’s integrity.
Human resources. We reviewed whether the engagement leaders assessed the audit team’s adequacy, availability, proficiency, competence, and resources, and whether they documented their assessments.
Engagement performance
Within the engagement performance element, we also assessed the following:
- Supervision and review. We reviewed whether engagement leaders ensured that the audit files had documentation regarding who reviewed the audit work performed, the date, and the extent of the review.
- Consultation. We reviewed whether the engagement leaders ensured that appropriate consultations took place in a timely manner, when required.
- Engagement quality control review. We reviewed whether the quality reviews were carried out in a timely manner and whether the quality reviewers performed objective evaluations of the significant judgments made by the teams, the conclusions reached in supporting the auditor’s reports, and other significant matters.
- Differences of opinion. If differences of opinion occurred, we reviewed whether the engagement leaders followed the Office’s established processes for addressing them.
- Engagement documentation. We reviewed whether engagement leaders properly addressed the confidentiality, safe custody, integrity, accessibility, retrievability, and retention of documentation, and whether the final assembly of the engagement files were completed on a timely basis (that is, the 60-day rule).
Other Canadian Auditing Standards requirements and Office policies
We reviewed whether engagement leaders ensured that the audit was planned, executed, and reported in accordance with Canadian Auditing Standards, applicable legislation, and Office policies and procedures.
We also considered whether the Office met its reporting responsibilities by having in place appropriate audit methodology, recommended procedures, and practice aids to support efficient audit approaches and to produce sufficient audit evidence at the appropriate time.