Overview

Knowledge of business (KOB) refers to an understanding of how a federal government entity or

key entities in a sector operate, their corporate culture, business challenges, and external
environment. KOB is important for planning performance audits that are risk based, relevant and
timely.

OAG Policy
The audit team shall acquire, maintain, share and document current knowledge of entities in
their respective portfolio, including the risks facing these entities. [Nov-2014]

OAG Guidance
The audit principal responsible for a given entity or sector engages in KOB work continually
through discussions with entity officials and review of documentation and media reports. KOB is
also obtained while developing the Strategic Audit Plan (SAP) (see1510 Selection of audit topics).
Since the SAP is a long-term plan for audits of a sector or entity, the SAP needs to be reevaluated each year to ensure that the right audits are planned. KOB work is required to either
validate a strategic audit plan or identify new risks and areas for audit. If there is no SAP for a
given sector or entity, KOB is the only source of this information.
The audit principal is responsible for multiple entities. Therefore, he/she is responsible for
acquiring, maintaining, sharing, and documenting current knowledge of these entities, including
the broader risks that they face. The audit director shall acquire, maintain, share, and document
detailed knowledge of specific aspects related to the entity(ies) under audit..
KOB serves a number of important functions at different times:

supports objective and well-informed decision making on what to audit, including updates
to risks identified in the Strategic Audit Plan, and any changes to budget envelope
allocations (See section 1510 Selection of audit topics);

makes the planning phase of an audit more focused and efficient;

helps to identify instances where internal specialist support is required;

puts audit findings into context when reporting;

assists in the development of audit recommendations;

helps audit teams prepare for departmental audit committee meetings; and

helps audit teams prepare for Parliamentary committee hearings.

Planning and budgeting KOB work

The Office has budgeted hours for KOB for each sector and for a number of entities (see resource
managers for this information). This budget is to be used to plan and carry out KOB work. This

work may be treated as a project: audit staff are assigned, internal specialists are consulted as
required, and timelines, objectives, and deliverables are established.
Performing KOB work
KOB work should begin with a review of the SAP, a discussion with the relevant annual
audit team, and a review of the annual audit file. In addition, one of the most important
ways to acquire and maintain KOB is to identify and nurture a network of external contacts, both
national and regional, who can provide different perspectives about issues and priorities. In
addition to entity management, consultation with industry experts, and other specialists is key.
These contacts can provide a wealth of information on the entity, sector, or subject area, and can
also help in the selection of external advisors.
KOB work can also include the following, as necessary:

review of media reports;

discussions with internal specialists;

review of internal audit reports;

meetings with chief audit executives;

interviews with departmental audit committee members;

review of entity tracking systems to assess the extent to which audit recommendations
and entity commitments have been implemented;

review of Parliamentary committee minutes and reports;

review of relevant audit reports of other jurisdictions (nationally and internationally);

attendance at relevant conferences; and

site visits.

On an annual basis, the audit team should inform the responsible assistant auditor general and
the Auditor General of any significant changes in risks.
Key entity documents to review could include the following:

Documents internal to the

organization:

Information available on the Internet:

Corporate strategic and business plans;

capital/IM-IT investment plans; operating
budgets; quarterly or other interim
financial reporting

Reports on Plans and Priorities; Departmental

Performance Reports; enterprise and IM-IT
strategic and business plans; IM-IT investment
plans

Performance measurement and reporting

Management Accountability Framework (MAF)

strategies/ frameworks

Reports from Treasury Board of Canada

Secretariat

Minutes of senior management

committees

Recent news articles; industry journals

Briefing notes to the Minister or Deputy

Minister

Parliamentary updates

Integrated Risk Management Framework

Public Accountsdetailed disclosures

(e.g. overpayments)

Briefing binders and minutes from

Departmental Audit Committee

Statutes/authorities/regulations related to the

entity/sector

Risk assessments/corporate risk profile

Proactive Disclosure

Monthly reports to the executive

committee

Senate/House of Commons Committee Reports

Business process mapping documentation Legal cases in relevant program or subject areas
Studies or other internal reviews

Research/academic reports

Memoranda to Cabinet
Treasury Board Submissions
The following are questions to consider when performing this work:
For an entity (or an entity being considered as part of a sector):

What are the entitys mission, mandate, authorities, key programs, priorities?

What are its key objectives, business processes, and performance measuresinputs,
outputs, outcomes?

Who are the primary clients and stakeholders?

How are programs governed, organized, and resourced?

What are the critical IM-IT systems? What are the systems of internal control?

What are the essential knowledge sources, centres of expertise, and key quantitative and
qualitative data sources?

What key challenges/risks/constraints does the organization face?

For a sector:

How is the business defined or characterized? Why is it important to public policy?

Who are key players and stakeholders? To what extent are they interdependent?

What are the coordination mechanisms?

The Key entity/sector risks template includes additional questions.

Teams should be sensitive to requesting too much information from entities and creating
unnecessary burden. Much of this information may be available from the financial audit team.
Auditors should be aware of red flags that could indicate risks, such as the following:

a management tone at the top that is autocratic;

lack of internal management reporting or performance measurement;

dissatisfaction by major business users/stakeholders of key decision-making information

required, resulting in the use of black book systems;

recent major key systems failures or security breaches;

changes in the organization, policies, authorities, or programs, such as

o

high management turnover or long-term vacancies;

significant increase in spending but a decline in performance outputs;

significant variance in revenue or payment streams;

programs or activities introduced or removed in a short period of time;

systems or practices that have not changed in a long time despite changes in the
environment;

high employee grievance rates;

service delivery delays or high error rates;

lawsuits, contingent liabilities, settlements by the Crown;

non-responsiveness to audits or resistance to being audited;

budgets exceeded or under-spent by large amounts;

authority/approval overrides or bypasses;

lack of acknowledgement of risks by management.

Audit teams should look for opportunities to use analytical methods and techniques. Analytic
methods may include the following:

Source of information

Analytics

Financial statementsinternal management

reports.

Budget variance analysis;

expenditure/revenue trend analysis

Interim/quarterly financial statements or reports

to executive committee

Anomalous expenses trend

Interim/quarterly financial statements or reports

to executive committee

Material changes in financial information

Public AccountsPlate I-11 and I-12 (contingent

liabilities) or Plate III-10 (payment of claims
against the Crown) prepared quarterly

New claims against the organization

Public Accounts volume IIIdetails

Over and under payment data

Information on business processes

Business process mapping

Reports to executive committee

Significant changes to performance

indicators

Treasury Board of Canada Secretariat

submissions; memorandum to Cabinet

Changes to the program authority (new

programs, changes to how existing
programs are delivered)

Committee minutes

Reasons for sudden interest by

Parliamentary committees

Legal cases

Systemic reasons for litigation

Deliverables and documentation

KOB information should be documented so that it is not lost when audit staff retire or leave the
Office. This should be captured in the same file as work related to the SAP,with access granted to
those who would benefit from the information. Key documents obtained from the entity or
entities should also be kept in the file and made available within the Office, so that entities are
not asked for the same documents more than once.
Documentation of KOB work should cover

list of documents reviewed and consultations/interviews

results of research and any analysis done, including

o

significant change in authorities, controls, organization/management, resources,

programs, systems

risk diagnosissignificant changes since the SAP

risks increased

risks decreased

new risks

proposed changes to SAP or ongoing audits

o

new audit recommended

planned audit dropped, deferred, or significantly modified in scope or objective

changes to lines of enquiries in audits already in progress

Security of and external access to KOB information

Documents that are obtained by the OAG from entities may come with a security classification
already assigned. This classification must be respected. KOB information should be labeled
protected A, B, or C, depending on the level of harm such information might do to the Office or
an individual should it be disclosed. KOB information has the same status as information created
or obtained during the course of an audit, and therefore would qualify for exemption in
accordance with s.16.1(1)(a) of the Access to Information Act. It is important to note that the
Privacy Act does not have a similar exemption provision. Should personal information be
collected as KOB, it may be released to the individual concerned upon request. For more
information and/or advice on this subject, please contact the OAG ATIP Coordinator.
If access is required to documents that may be subject to solicitor-client or oth

Overview
CPA Canada standards require that the practitioner (principal) and the team have adequate
knowledge of the subject matter. At the beginning of the audit, the audit team conducts research
to gain an understanding of the entity and subject matter of the audit.

CPA Canada Assurance Standards

CPA Canada 5025.30

OAG Policy

During the planning phase, as part of determining the audit strategy for the examination phase,
the audit team shall acquire up-to-date knowledge of the subject matter of the audit, including
the entities involved and associated risks. [Nov2014]
The audit team shall perform a risk-based planning exercise to determine the scope of the audit.
[Nov2014]
The audit team shall also complete an environmental risk assessment. [Nov2011]

OAG Guidance
What the standards mean for understanding the entity and subject matter
The standards require that the practitioner (audit principal) and others performing the assurance
engagement (audit) have adequate knowledge of the subject matter. This is done through the
work described below.

Understanding of the entity or subject matter

When an audit is selected as part of the strategic audit planning process and the executive
committee has approved the chapter submission (OAG Audit 1510 Selection of audit topics), the
audit team reviews the information gathered for the strategic audit plan and identifies additional
information required to update knowledge of the entity and subject matter
(OAG Audit 1505 Acquiring and maintaining knowledge of business). If the audit is governmentwide or sector-wide, the team meets with the audit teams responsible for the entities involved, in
order to benefit from their knowledge and experience.
The following questions should be addressed:

What are the business objectives and business processes related to the subject matter?

Who (what entities and/or what parts of the entities) are involved and what are their
respective responsibilities and accountabilities?

What is the environment in which the entity operates (political/judicial, economic, social,
technological)?

What is the organizational structure of relevant parts of the entity?

Who are the stakeholders (e.g., citizens, other departments or agencies)?

What are the priorities?

Are other organizations doing the same thing (i.e. involved in same area, sector or
business)?

The audit teams uses several techniques to gather the necessary information, including

review of previous OAG audits and studies, and audits conducted by others, as well as
program evaluation;

interviews with the entitys management;

review of authorities, policies, directives, Cabinet documents, and other relevant

documents;

review of the entitys Performance Report and Report on Plans and Priorities;

review of the entitys management and accountability reports and risk assessments;

review of the entitys Internet site;

observation of facilities;

walk-through of major systems and control procedures;

interviews with stakeholders, e.g., organizations affected by the entitys policies;

consultation with outside organizations to identify best practices and opportunities for
improvement;

consideration of potential issues related to OAG internal specialist areas;

discussion with teams responsible for relevant entities and sectoral areas; and

discussion with relevant annual audit team and review of relevant sections of annual
audit files.

Analysis of entity and subject matter risks

Risk is defined here as the likelihood of an event influencing the achievement of
an objective (both positively and negatively). Normally at this stage, the audit team identifies
and analyzes the significant risks or key factors that may affect the relevant entity in achieving
its objectives or fulfilling its mandate and responsibilities related to the subject matter being
audited. The audit team also identifies and analyzes the significant risks or key factors that may
affect the specific topic being audited. The team may also focus on residual riskthe risk that
remains even when controls are in place to mitigate the inherent riskor on areas of suspected
weaknesses.
The risk assessments completed during the strategic audit planning process (OAG Audit
1510 Selection of audit topics) as well as entity teams and sectoral teams work to maintain a
good understanding of the entity (OAG Audit 1505 Acquiring and maintaining knowledge of
business) are the starting points for this analysis.
In assessing the entity and subject matter risks for scoping, teams should also consider the
relevance of some key risk areas to the subject matter and/or entities involved in the audit.
Teams do this by completing a mandatory preliminary subject matter/entity risk screening

form. This process should trigger teams to consult with relevant internal specialists and it
informs the teams risk-based planning and audit scoping decisions.
At this point, teams must also consider environmental risks for the audit. This requires the
identification and assessment of any potential environmental issues. The audit team considers
the entitys sustainable development strategies, any physical infrastructure projects (which may
be subject to the Canadian Environmental Assessment Act), facilities and other aspects of
government operations, and the potential impact of specific activities on the environment, among
other areas. The team documents this in a standard form that requires sign-off by the internal
specialist for sustainable development and the environment.
The team can classify risks as low, medium, or high, while recognizing the relative importance of
both probability and impact. Close attention should be given to areas assessed as high risk.

Next steps
After gaining a good understanding of the entity (or entities) and the subject matter of the audit
through research and risk analysis, the principal determines whether the audit team has
sufficient subject matter knowledge to conduct the audit, and whether it needs to engage
consultants with specific subject matter expertise. If the principal decides to hire a consultant, he
or she must follow Office policies for procurement and contracting.
The audit team conducts a preliminary screening of common risk areas in developing its audit
strategy and the audit logic matrix (ALM) (OAG Audit 4044 Developing the audit strategy: audit
logic matrix). The ALM sets out

preliminary audit objectives (OAG Audit 4041 Audit objectives),

the proposed audit scope and a general description of the proposed audit approach
(OAG Audit 4042 Audit scope),

draft audit criteria and their sources (OAG Audit 4043 Audit criteria), and

proposed lines of enquiry (areas of audit).

The audit team refines the ALM throughout the planning phase until it is finalized and will include
the key information later in the audit plan summary (OAG Audit 4090 Entity management's
acknowledgement of responsibility: audit plan summary).