Professional Documents
Culture Documents
OAG Policy
The audit team shall acquire, maintain, share and document current knowledge of entities in
their respective portfolio, including the risks facing these entities. [Nov-2014]
OAG Guidance
The audit principal responsible for a given entity or sector engages in KOB work continually
through discussions with entity officials and review of documentation and media reports. KOB is
also obtained while developing the Strategic Audit Plan (SAP) (see1510 Selection of audit topics).
Since the SAP is a long-term plan for audits of a sector or entity, the SAP needs to be reevaluated each year to ensure that the right audits are planned. KOB work is required to either
validate a strategic audit plan or identify new risks and areas for audit. If there is no SAP for a
given sector or entity, KOB is the only source of this information.
The audit principal is responsible for multiple entities. Therefore, he/she is responsible for
acquiring, maintaining, sharing, and documenting current knowledge of these entities, including
the broader risks that they face. The audit director shall acquire, maintain, share, and document
detailed knowledge of specific aspects related to the entity(ies) under audit..
KOB serves a number of important functions at different times:
supports objective and well-informed decision making on what to audit, including updates
to risks identified in the Strategic Audit Plan, and any changes to budget envelope
allocations (See section 1510 Selection of audit topics);
helps audit teams prepare for departmental audit committee meetings; and
work may be treated as a project: audit staff are assigned, internal specialists are consulted as
required, and timelines, objectives, and deliverables are established.
Performing KOB work
KOB work should begin with a review of the SAP, a discussion with the relevant annual
audit team, and a review of the annual audit file. In addition, one of the most important
ways to acquire and maintain KOB is to identify and nurture a network of external contacts, both
national and regional, who can provide different perspectives about issues and priorities. In
addition to entity management, consultation with industry experts, and other specialists is key.
These contacts can provide a wealth of information on the entity, sector, or subject area, and can
also help in the selection of external advisors.
KOB work can also include the following, as necessary:
review of entity tracking systems to assess the extent to which audit recommendations
and entity commitments have been implemented;
site visits.
On an annual basis, the audit team should inform the responsible assistant auditor general and
the Auditor General of any significant changes in risks.
Key entity documents to review could include the following:
strategies/ frameworks
Parliamentary updates
Proactive Disclosure
Business process mapping documentation Legal cases in relevant program or subject areas
Studies or other internal reviews
Research/academic reports
Memoranda to Cabinet
Treasury Board Submissions
The following are questions to consider when performing this work:
For an entity (or an entity being considered as part of a sector):
What are the entitys mission, mandate, authorities, key programs, priorities?
What are its key objectives, business processes, and performance measuresinputs,
outputs, outcomes?
What are the critical IM-IT systems? What are the systems of internal control?
What are the essential knowledge sources, centres of expertise, and key quantitative and
qualitative data sources?
For a sector:
Who are key players and stakeholders? To what extent are they interdependent?
systems or practices that have not changed in a long time despite changes in the
environment;
Audit teams should look for opportunities to use analytical methods and techniques. Analytic
methods may include the following:
Source of information
Analytics
Committee minutes
Legal cases
risks increased
risks decreased
new risks
Overview
CPA Canada standards require that the practitioner (principal) and the team have adequate
knowledge of the subject matter. At the beginning of the audit, the audit team conducts research
to gain an understanding of the entity and subject matter of the audit.
OAG Policy
During the planning phase, as part of determining the audit strategy for the examination phase,
the audit team shall acquire up-to-date knowledge of the subject matter of the audit, including
the entities involved and associated risks. [Nov2014]
The audit team shall perform a risk-based planning exercise to determine the scope of the audit.
[Nov2014]
The audit team shall also complete an environmental risk assessment. [Nov2011]
OAG Guidance
What the standards mean for understanding the entity and subject matter
The standards require that the practitioner (audit principal) and others performing the assurance
engagement (audit) have adequate knowledge of the subject matter. This is done through the
work described below.
What are the business objectives and business processes related to the subject matter?
Who (what entities and/or what parts of the entities) are involved and what are their
respective responsibilities and accountabilities?
What is the environment in which the entity operates (political/judicial, economic, social,
technological)?
Are other organizations doing the same thing (i.e. involved in same area, sector or
business)?
The audit teams uses several techniques to gather the necessary information, including
review of previous OAG audits and studies, and audits conducted by others, as well as
program evaluation;
review of the entitys Performance Report and Report on Plans and Priorities;
review of the entitys management and accountability reports and risk assessments;
observation of facilities;
consultation with outside organizations to identify best practices and opportunities for
improvement;
discussion with teams responsible for relevant entities and sectoral areas; and
discussion with relevant annual audit team and review of relevant sections of annual
audit files.
form. This process should trigger teams to consult with relevant internal specialists and it
informs the teams risk-based planning and audit scoping decisions.
At this point, teams must also consider environmental risks for the audit. This requires the
identification and assessment of any potential environmental issues. The audit team considers
the entitys sustainable development strategies, any physical infrastructure projects (which may
be subject to the Canadian Environmental Assessment Act), facilities and other aspects of
government operations, and the potential impact of specific activities on the environment, among
other areas. The team documents this in a standard form that requires sign-off by the internal
specialist for sustainable development and the environment.
The team can classify risks as low, medium, or high, while recognizing the relative importance of
both probability and impact. Close attention should be given to areas assessed as high risk.
Next steps
After gaining a good understanding of the entity (or entities) and the subject matter of the audit
through research and risk analysis, the principal determines whether the audit team has
sufficient subject matter knowledge to conduct the audit, and whether it needs to engage
consultants with specific subject matter expertise. If the principal decides to hire a consultant, he
or she must follow Office policies for procurement and contracting.
The audit team conducts a preliminary screening of common risk areas in developing its audit
strategy and the audit logic matrix (ALM) (OAG Audit 4044 Developing the audit strategy: audit
logic matrix). The ALM sets out
the proposed audit scope and a general description of the proposed audit approach
(OAG Audit 4042 Audit scope),
draft audit criteria and their sources (OAG Audit 4043 Audit criteria), and
The audit team refines the ALM throughout the planning phase until it is finalized and will include
the key information later in the audit plan summary (OAG Audit 4090 Entity management's
acknowledgement of responsibility: audit plan summary).