AFM 451: Audit Strategy

Colin Shaw

Estimated study time: 1 hr 12 min

Table of contents

Sources and References

Primary textbook — Arens, A. A., Elder, R. J., Beasley, M. S., Hogan, C. E., Splettstoesser-Hogeterp, I., & Ferrara, C. Auditing: The Art and Science of Assurance Engagements, 15th Canadian ed. Pearson Canada, 2023. Supplementary — Canadian Auditing Standards (CAS) / International Standards on Auditing (ISA), CPA Canada Handbook; Public Company Accounting Oversight Board (PCAOB) Auditing Standards; IAASB Handbook of International Quality Management, Auditing, Review, Other Assurance, and Related Services Pronouncements; CPAB (Canadian Public Accountability Board) Annual Inspection Reports 2022–2024. Research — Kinney, W. R. (2005). “Audit Quality and Investor Protection.” The Accounting Review, 80(1), 71–88. Bell, T. B., Peecher, M. E., & Solomon, I. (2005). The 21st Century Public Company Audit: Conceptual Elements of KPMG’s Global Audit Methodology. KPMG.

Chapter 1: Strategic Foundations of Audit Strategy

1.1 What Is Audit Strategy?

An audit strategy is the overarching plan that specifies, at a high level, the scope, timing, and direction of an audit engagement. It is distinguished from the detailed audit plan — which itemizes the nature, timing, and extent of individual procedures — by its focus on strategic-level decisions that guide the entire engagement. Understanding the distinction matters: strategy is set before detailed planning, and detailed planning flows from it.

The audit strategy addresses fundamental questions:

What is the overall approach — will the engagement rely on controls testing to reduce substantive work, or will it take a primarily substantive approach?
Which account balances and transaction classes carry the highest inherent risk and therefore demand the deepest scrutiny?
What is the overall materiality and how does it translate into performance thresholds at the assertion level?
How will the engagement team be structured, and what specialist knowledge is required?
Are there components (subsidiaries, divisions) requiring separate consideration, and how will group audit coordination be managed?

Audit Strategy — A document establishing the scope, timing, and direction of an audit at the engagement level. Per CAS 300 / ISA 300, auditors are required to establish an overall audit strategy that sets the characteristics of the engagement, determines the reporting objectives, and considers the factors significant in directing the engagement team's efforts. The strategy must be documented and updated as circumstances change throughout the engagement.

The strategy is not static. As new information emerges during fieldwork — unexpected control weaknesses, unusual transactions, changed business conditions — the auditor reassesses and revises both strategy and plan. CAS 300 explicitly contemplates this iterative process.

1.2 The Risk-Based Audit Approach

Modern auditing is unequivocally risk-based. Auditors allocate effort proportionally to where the risk of material misstatement (RMM) is highest. This represents a fundamental departure from the “tick-and-check” auditing of earlier eras, when large proportions of transactions were mechanically verified without reference to underlying risk.

The risk-based approach rests on a simple logic: the purpose of an audit is to obtain reasonable assurance that the financial statements as a whole are free from material misstatement. If some accounts are highly unlikely to be materially misstated (low inherent risk, strong controls), relatively less evidence is needed there. If other accounts face significant misstatement risk (complex estimates, management judgment, pressure to meet targets), substantial evidence is required.

Historical context: The shift to risk-based auditing in Canada and internationally was driven by a series of high-profile audit failures in the late 1990s and early 2000s — Enron, WorldCom, Nortel, Livent — that demonstrated the inadequacy of mechanical, checklist-driven approaches. The post-Enron regulatory response (Sarbanes-Oxley Act in the US, Bill 198 in Canada, creation of PCAOB and CPAB) accelerated the adoption of risk-based standards. The current CAS suite, adopted in Canada effective for years beginning on or after December 15, 2009, codifies the risk-based approach that had been developing in professional practice.

1.3 The Audit Risk Model

The Audit Risk Model (ARM) provides a conceptual framework for understanding how individual risk components interact to produce overall audit risk:

\[ AR = IR \times CR \times DR \]

where:

AR (Audit Risk): The risk the auditor expresses an inappropriate (clean) opinion on materially misstated financial statements. Typically targeted at approximately 5% overall, though this is not a rigid rule — it represents an acceptably low probability of error.
IR (Inherent Risk): The susceptibility of a financial statement assertion to misstatement, assuming no related controls. Inherent risk is a property of the subject matter: estimates are inherently riskier than routine cash transactions; related-party transactions are inherently riskier than arm’s-length ones.
CR (Control Risk): The risk that a material misstatement will not be prevented, or detected and corrected, by the entity’s internal control. CR reflects the quality of the entity’s control environment and specific controls over relevant assertions.
DR (Detection Risk): The risk that the auditor’s own procedures will fail to detect a material misstatement that exists. Unlike IR and CR, detection risk is directly controlled by the auditor through the design and execution of audit procedures.

Rearranging: $DR = \frac{AR}{IR \times CR}$

When the combined inherent and control risk (RMM = IR × CR) is high, the auditor must achieve very low detection risk — requiring more extensive, more persuasive evidence. When RMM is low, less work achieves the target audit risk.

Audit Risk Model Application — Retail Company Revenue

An auditor is planning the revenue cycle audit for a large retail chain. The client operates in a highly competitive industry with thin margins, creating significant pressure on management to achieve revenue targets (increasing inherent risk). The entity recently implemented a new point-of-sale system, and the auditor has not yet tested the related IT controls (control risk uncertain, provisionally assessed as high).

Setting: AR = 5%, IR = 80%, CR = 70% (provisionally, pending controls testing).

Required DR = 0.05 / (0.80 × 0.70) = 0.05 / 0.56 ≈ 8.9%

This means the auditor’s substantive procedures must be designed to detect at least 91% of any material misstatement that exists in revenue — a demanding standard requiring extensive, reliable substantive procedures (detailed transaction testing, robust analytical procedures with narrow precision).

If the auditor later tests IT controls and finds them effective, control risk may be revised downward to 40%:

Revised required DR = 0.05 / (0.80 × 0.40) = 0.05 / 0.32 ≈ 15.6%

Now the auditor can accept somewhat less extensive substantive work while still meeting the overall audit risk target — demonstrating the trade-off between controls reliance and substantive testing.

Chapter 2: Understanding the Entity and Its Environment

2.1 The Importance of Entity Understanding

Effective audit strategy requires deep knowledge of the entity being audited. CAS 315 (Identifying and Assessing the Risks of Material Misstatement) mandates that auditors obtain an understanding of:

The entity and its environment
The applicable financial reporting framework
The entity’s system of internal control

This understanding serves two purposes: first, identifying where material misstatements could occur; second, evaluating the design and implementation of controls that address those risks. Critically, CAS 315 (revised 2021, effective for audits of financial statements for periods beginning on or after December 15, 2021) significantly expanded the requirements for understanding IT systems and the general IT environment, reflecting the extent to which modern financial reporting is IT-dependent.

2.2 Industry, Regulatory, and Other External Factors

The entity does not operate in a vacuum. An auditor who does not understand the industry will miss industry-specific risks that an informed reader would recognize immediately.

Industry characteristics that affect risk assessment include:

Revenue recognition complexity: Software companies (IFRS 15 multi-element arrangements), construction companies (percentage-of-completion), media companies (licensing) all have inherently complex recognition requirements.
Inventory valuation: Mining companies (NRV vs. cost for raw ore), retailers (markdown risk, obsolescence), manufacturers (standard cost variances, overhead allocation).
Regulatory environment: Banks (OSFI capital requirements, IFRS 9 ECL), insurance companies (IFRS 17 liability measurement), pharmaceutical companies (FDA approval contingencies, R&D capitalization).
Competitive dynamics: Industries facing structural disruption create management pressure to maintain earnings, inflating incentive-based fraud risk.

Regulatory factors create both direct financial statement risks (failure to comply may trigger fines, penalties, or license revocation that must be disclosed or accrued) and indirect risks (management’s desire to appear compliant creates pressure to manipulate measures).

Laws and Regulations Risk (CAS 250): Auditors must consider the entity's compliance with laws and regulations that have a direct effect on financial statement amounts and disclosures (tax laws, pension legislation, environmental regulations) and laws that do not directly affect financial statements but whose violation may be material (e.g., fraud, securities legislation violations that could trigger significant fines). The auditor's responsibility is limited to identifying material non-compliance, not ensuring full legal compliance.

2.3 Business Model and Strategy Analysis

Understanding how an entity creates value — its business model — is foundational to identifying financial statement risk. A business model analysis considers:

Value chain: Where does the entity sit in its industry value chain? Is it a manufacturer, distributor, retailer? How does it add value at each step? Value chain analysis reveals where revenue is earned and where costs are incurred, linking business processes to financial statement line items.

Key performance indicators (KPIs): Management monitors the business through KPIs. Understanding which KPIs management tracks (and therefore has incentives to manage) reveals potential pressure points for earnings management. If management compensation is tied to EBITDA, expect heightened scrutiny of items that affect EBITDA (revenue recognition, capitalization vs. expensing of costs).

Strategic initiatives: Acquisitions, restructurings, new product launches, geographic expansion — each carries financial statement implications (purchase price allocation, restructuring provisions, goodwill, going-concern considerations for new ventures). The auditor must understand the strategy to anticipate these impacts.

Related-party relationships: Private equity ownership creates different incentive structures than widely dispersed public ownership. Concentrated family control creates different governance risks. Complex intercompany structures require assessment of arm’s-length pricing and consolidation completeness.

2.4 Evaluating Management’s Character and Competence

The control environment begins with the people at the top of the organization. The “tone at the top” — management’s demonstrated commitment to integrity, ethical conduct, and accountability — pervades the entire control environment and directly affects the risk of material misstatement through fraud.

Auditors assess management character through:

Track record: History of compliance, no prior restatements, no regulatory sanctions.
Attitude toward internal control: Does management invest in controls or view them as bureaucratic friction?
Accounting aggressiveness: Does management consistently select accounting policies and estimates at the aggressive end of permissible ranges?
Responsiveness to auditor findings: Does management take audit adjustments seriously or resist corrections?

The PCAOB's perspective on management bias: PCAOB AS 2110 (Identifying and Assessing Risks of Material Misstatement) emphasizes the auditor's responsibility to evaluate whether management has established a culture of transparency and accountability. CPAB inspection reports have repeatedly found deficiencies in auditors' evaluation of management integrity and bias — particularly in complex estimate areas where management judgment is unchallenged. The revised CAS 315 similarly strengthened requirements around evaluating management's risk assessment process and identifying management bias as a specific risk factor.

2.5 Management Bias in Accounting Estimates

Management bias is the systematic tendency of management to make accounting estimates that achieve a desired financial reporting outcome rather than reflecting the auditor’s best estimate of economic reality. Bias may not constitute fraud (it may be within GAAP), but it represents a risk that financial statements, while technically compliant, are misleading.

Common manifestations of management bias:

Consistently selecting the highest end of a permissible range for revenue-enhancing estimates (generous return provisions, optimistic impairment assumptions).
Systematically reversing provisions in periods when earnings need a boost.
Making “compensating” errors — understating one liability while overstating another — that happen to cancel out but individually affect key metrics.
Selecting discount rates, growth rates, or other inputs that invariably produce favorable outcomes.

The auditor addresses management bias by:

Reviewing prior-year estimates for systemic patterns of over- or under-estimation.
Evaluating the reasonableness of individual estimate inputs against external benchmarks.
Developing an independent auditor’s range for significant estimates and assessing whether management’s point estimate falls within that range.
Considering retrospective review — comparing prior estimates to actual outcomes — as evidence of estimation accuracy or bias.

Chapter 3: Fraud Risk Assessment

3.1 The Auditor’s Responsibility for Fraud

CAS 240 (The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements) establishes that while management is primarily responsible for preventing and detecting fraud, the auditor is responsible for obtaining reasonable assurance that financial statements are free from material misstatement due to fraud or error.

This is an asymmetric responsibility: the auditor is not a fraud investigator and is not expected to detect all fraud. However, the auditor must plan and execute procedures with an attitude of professional skepticism — recognizing that material fraud could exist — and must respond specifically when fraud risk indicators are identified.

Fraud: An intentional act by one or more individuals among management, those charged with governance, employees, or third parties, involving the use of deception to obtain an unjust or illegal advantage. In the context of financial reporting, fraud takes two primary forms: (1) fraudulent financial reporting — intentional misstatement or omission in the financial statements; and (2) misappropriation of assets — theft or misuse of an entity's assets.

3.2 The Fraud Triangle

Donald Cressey’s Fraud Triangle (1953), developed through interviews with convicted embezzlers, identifies three conditions that are nearly always present when fraud occurs:

1. Pressure (Incentive)

Financial pressures on individuals within the organization motivate fraud. Pressures may be:

Personal financial pressure: Gambling debts, lifestyle inflation, unexpected medical expenses.
Professional pressure: Meeting analyst earnings expectations, maintaining loan covenants, achieving bonus targets.
Organizational pressure: Turnaround situations, debt repayment obligations, competitive threats requiring apparent stability.

From a financial statement perspective, incentive-based pressures are particularly concerning because they incentivize fraudulent financial reporting (inflating revenues, understating liabilities) rather than simple asset misappropriation.

2. Opportunity

Weak controls, inadequate oversight, or a position of trust that enables fraud to occur without detection:

Override of internal controls by senior management (who have authority to approve exceptions).
Absence of segregation of duties (one person controls all aspects of a transaction).
Weak monitoring by the board of directors or audit committee.
Complex transactions, structures, or arrangements that obscure true economic substance.
Dominant management personality that suppresses challenge or questioning.

3. Rationalization

The perpetrator must convince themselves the act is acceptable:

“I’ll pay it back.”
“The company owes me after everything I’ve done.”
“Everyone does this.”
“I’m just accelerating legitimate revenue — we’ll earn it eventually.”
“The rules don’t account for our unique situation.”

The Fraud Diamond: Wolfe and Hermanson (2004) extended the Fraud Triangle by adding a fourth element — Capability. Even with pressure, opportunity, and rationalization, fraud requires someone with the skills, position, and knowledge to execute it successfully and avoid detection. This addition explains why fraud is concentrated in positions with system access, financial expertise, and organizational authority. Auditors should consider not just whether conditions for fraud exist but whether individuals with the capability to exploit those conditions are present.

3.3 Fraud Brainstorming

CAS 240 requires a mandatory brainstorming session among the engagement team — typically at the start of the planning phase — to discuss how and where the financial statements could be susceptible to material misstatement due to fraud.

Effective brainstorming:

Includes all team members (including junior staff who may have insights from client interaction).
Is led by the engagement partner or senior manager.
Considers both fraudulent financial reporting and asset misappropriation.
Considers management override of controls as a presumed risk.
Documents the discussion and its conclusions.
Is revisited when significant new information emerges during the engagement.

CAS 240 also establishes that revenue recognition is a presumed fraud risk in every audit (absent specific rebuttal), reflecting its historical prominence in financial statement fraud cases.

3.4 Fraud Risk Factors

Fraud risk factors are conditions that indicate the presence of one or more elements of the fraud triangle. Auditors use these as signals — not proof — of elevated fraud risk:

Category	Example Risk Factors
Incentive/Pressure	Management’s compensation heavily weighted toward bonus tied to profit targets; entity facing debt covenant breach; analyst consensus significantly above prior-year performance
Opportunity	Dominant CEO with unchallenged authority over accounting decisions; rapid growth outpacing control infrastructure; complex intercompany transactions with offshore entities
Rationalization	Management’s dismissive attitude toward audit findings; history of aggressive accounting choices; high staff turnover in financial reporting roles
Industry/Environment	Rapid technological change threatening business model; recent regulatory investigation; significant related-party transactions

3.5 Benford’s Law and Analytical Fraud Detection

Benford’s Law (Frank Benford, 1938; Newcomb, 1881) describes the frequency distribution of leading digits in naturally occurring numerical data. For data sets following this distribution, smaller leading digits occur far more frequently than larger ones:

Leading Digit	Expected Frequency
1	30.1%
2	17.6%
3	12.5%
4	9.7%
5	7.9%
6	6.7%
7	5.8%
8	5.1%
9	4.6%

This counter-intuitive pattern arises because naturally occurring data (populations, stock prices, transaction amounts) span multiple orders of magnitude, and when viewed on a logarithmic scale, each digit occupies an equal “width” — but smaller digits cover a larger range of values near zero where data concentrates.

Audit application: Benford’s Law is applied to transaction populations (journal entries, expense claims, vendor invoices) to identify anomalies. Deviations from expected frequencies — particularly clustering of amounts just below authorization thresholds (e.g., unusual peaks at $4,990 for a $5,000 approval limit) — are red flags for potential manipulation.

Benford's Law in Journal Entry Testing

An auditor applies Benford’s Law analysis to 85,000 journal entries made during the year. The analysis reveals:

First-digit “9” appears in 9.2% of entries versus the expected 4.6% — roughly double.
Amounts clustered at $9,999 appear 340 times, versus approximately 18 expected under Benford’s distribution.

Follow-up investigation reveals that a subset of these entries are credit to revenue and debit to accounts receivable — all approved by the CFO — representing fictitious revenue entries just below the $10,000 dual-approval threshold. The Benford’s deviation did not prove fraud, but it directed the auditor’s attention to a specific population requiring targeted testing.

Note: Benford’s Law does not apply to all data. It requires naturally occurring data spanning multiple orders of magnitude. It does not apply well to: assigned numbers (employee IDs, purchase order numbers), data with prescribed ranges (ages, percentages), or very small populations.

Chapter 4: Materiality in Audit Strategy

4.1 The Concept of Materiality

Materiality is the threshold above which a misstatement, individually or in aggregate, could reasonably be expected to influence the economic decisions of financial statement users. It is simultaneously a quantitative concept (measured in dollars) and qualitative concept (some misstatements are material regardless of size).

Materiality operates at two levels in an audit:

Overall (planning) materiality: Set at the engagement level, reflecting materiality for the financial statements as a whole. Used to identify significant accounts and assess overall audit scope.
Performance materiality: A lower threshold used in designing specific procedures, set to reduce the probability that aggregate uncorrected misstatements exceed overall materiality.

Materiality (CAS 320 / ISA 320): Misstatements, including omissions, are considered to be material if they, individually or in the aggregate, could reasonably be expected to influence the economic decisions of users taken on the basis of the financial statements. Judgments about materiality are made in light of surrounding circumstances, including the size and nature of a misstatement.

4.2 Setting Planning Materiality

Materiality is set with reference to a benchmark — a financial statement measure that reflects what users focus on. Common benchmarks and percentage ranges:

Entity Type	Common Benchmark	Typical Percentage
Profitable companies	Pre-tax income from continuing operations	5%
Cyclical or loss companies	Revenue or gross profit	0.5%–1%
Not-for-profit organizations	Total expenditure or total revenue	0.5%–1%
Financial institutions	Total assets	0.5%
Asset-intensive entities	Total assets	0.5%–1%
High-equity companies	Equity	1%–2%

The choice of benchmark requires judgment. A company reporting near break-even may have pre-tax income that is extremely volatile or nearly zero — making percentage-of-income materiality unstable. Auditors may use a “normalized” income measure or switch to revenue as a more stable benchmark.

Planning Materiality Calculation — Manufacturing Company

A manufacturing company reports the following for the year:

Pre-tax income: $4.2 million
Revenue: $87.3 million
Total assets: $123.6 million
Equity: $48.9 million

Step 1: Identify the primary benchmark. Pre-tax income is appropriate for a profitable company. Step 2: Apply the percentage. 5% × $4.2 million = $210,000. Step 3: Cross-check against alternative benchmarks:

0.5% × revenue = $436,500
1% × equity = $489,000
0.5% × assets = $618,000 Step 4: Consider qualitative factors. The company is a public company with debt covenants tied to income — users focus intensely on income. Income-based materiality of $210,000 is supportable but note that a misstatement of 5% of pre-tax income represents only 0.24% of revenue. Judgment supports retaining $210,000. Planning materiality: $210,000.

4.3 Performance Materiality and Tolerable Misstatement

Performance materiality (called “tolerable misstatement” in the context of sampling) is set below planning materiality to provide an aggregate buffer. If each individual account is tested to the performance materiality threshold and no misstatements are detected, the probability that aggregate misstatements exceed planning materiality is acceptably low.

Typical range: 50%–75% of planning materiality, with the lower end appropriate when:

Prior-year audits found material misstatements.
There are numerous accounts with moderate individual risk.
The entity has complex accounting with many estimates.
First-year audit with limited prior knowledge.

Continuing the example above: Performance materiality = 65% × $210,000 = $136,500.

This means individual account tests are designed to detect misstatements at the $136,500 level. Sample sizes are calibrated to this threshold rather than to $210,000.

4.4 The Clearly Trivial Threshold

The clearly trivial threshold (also called the “summary of uncorrected misstatements” threshold) is the amount below which identified misstatements need not be accumulated and communicated to management. Misstatements clearly below this amount, individually and in aggregate, will not affect the auditor’s conclusion.

Typical range: 3%–5% of planning materiality.

Continuing the example: Clearly trivial = 5% × $210,000 = $10,500.

The auditor still uses professional judgment — a misstatement of $8,000 that is below the clearly trivial threshold would still be communicated if it relates to a qualitatively sensitive area (e.g., it relates to potential illegal activity or management’s compensation).

4.5 Specific Materiality for Particular Classes of Transactions

CAS 320 permits setting materiality levels lower than overall materiality for specific classes of transactions, account balances, or disclosures when:

Users are expected to be particularly interested in that specific element (e.g., executive compensation disclosures attract close scrutiny).
Regulatory requirements specify particular amounts as thresholds.
Legal or contractual provisions create sensitivity to specific items.

Qualitative materiality considerations: Purely quantitative materiality benchmarks are necessary but not sufficient. A misstatement may be qualitatively material even if below the dollar threshold when: (1) it masks a change in trend that would influence user decisions; (2) it converts a loss to a profit, or vice versa; (3) it affects regulatory compliance measures; (4) it involves related-party transactions or officer compensation; (5) it is a breach of a contractual covenant. Auditors must evaluate qualitative factors explicitly and document their reasoning.

4.6 Materiality Revisions During the Engagement

Planning materiality is set using preliminary financial data. When actual results become available during fieldwork, the auditor must assess whether the original materiality remains appropriate:

If actual pre-tax income is significantly higher than expected, a 5%-of-income materiality would be higher — potentially allowing some planned procedures to be scaled back.
If actual income is lower (or negative), income-based materiality becomes less appropriate, and the auditor may need to use an alternative benchmark or reduce the materiality amount.
If a significant unexpected event occurs (major acquisition, restructuring), materiality may need reassessment.

Revisions to materiality are documented in the audit file with reasoning, and the audit plan is updated accordingly.

Chapter 5: Group Audits — ISA 600 / CAS 600

5.1 The Group Audit Challenge

Many entities subject to audit are groups — parent entities with one or more subsidiaries, branches, or other components whose financial information is included in the consolidated financial statements. Group audits present distinct strategic challenges:

Multiple legal entities with separate accounting records, controls, and management teams.
Multiple auditors: the group engagement team may not audit all components directly, relying on component auditors — separate audit firms or offices that audit individual subsidiaries.
Different jurisdictions: Components may operate under different financial reporting standards, legal environments, and regulatory regimes.
Different risk profiles: Each component has its own inherent risks, control environments, and financial reporting systems.

Group Engagement Team: The partners, managers, and staff who plan and perform the group audit engagement and issue the group auditor's report. Responsible for directing and supervising component auditors, evaluating the sufficiency of component auditors' work, and consolidating component results into the group conclusion.

Component Auditor: An auditor who, at the request of the group engagement team, performs work on financial information of a component for purposes of the group audit. May be from the same firm as the group engagement team (different office) or from an entirely different firm.

5.2 Significant Components

Significant components are components that are individually financially significant to the group, or that by their nature or circumstances are likely to include significant risks of material misstatement in the group financial statements.

Two types of significant components:

1. Financially significant components: Components whose individual significance (typically measured by revenue, assets, or pre-tax income) exceeds a specified percentage of the group benchmark. A common threshold is 15%–20% of the applicable group benchmark, though this is a judgment call.

2. Components with significant risk: Even a relatively small component may require full-scope audit procedures if it involves significant risks of material misstatement — for example, a small subsidiary that engages in complex derivatives trading, or a subsidiary operating in a high-risk jurisdiction with weak governance.

For significant components, the group engagement team must:

Perform, or request the component auditor to perform, an audit of the component’s financial information using component materiality.
Review the component auditor’s work to the extent necessary to conclude on the group.

For non-significant components, the group engagement team may perform analytical procedures at the group level, or instruct the component auditor to perform specified procedures.

5.3 Component Materiality

Component materiality is set below overall group materiality. Because the group financial statements are the sum of all components, aggregate uncorrected misstatements across components could exceed group materiality even if each component’s misstatements are below group materiality individually.

Component materiality is typically set at 50%–75% of group planning materiality, and may vary by component based on risk. The group engagement team must also set a clearly trivial threshold for the group that considers the aggregation risk from multiple components.

Component Materiality in a Multi-Subsidiary Group

A Canadian parent company (TSX-listed) has four subsidiaries:

Sub A (Canada): 45% of group revenue — component of a national office of the group’s auditor
Sub B (US): 30% of group revenue — component auditor is a US PCAOB-registered firm
Sub C (UK): 15% of group revenue — component auditor is a UK FRC-registered firm
Sub D (emerging market): 10% of group revenue — local audit firm with no international affiliation

Group planning materiality: $800,000.

Component materiality assignments:

Sub A (financially significant, same firm): $480,000 (60% of group)
Sub B (financially significant, different firm): $400,000 (50% of group)
Sub C (at the threshold of significance): $320,000 (40% of group)
Sub D (non-significant but elevated risk due to jurisdiction): $240,000 (30% of group) with specified procedures and enhanced review

Sub D’s low component materiality reflects elevated risk despite small size — the group engagement team may need to perform additional procedures directly for this component given the limited ability to rely on the local auditor.

5.4 Group Instructions and Communication

The group engagement team issues group instructions to component auditors, providing:

The reporting timetable and required submission dates.
Component materiality and clearly trivial threshold.
Identified significant risks at the group level that may affect components.
Required audit procedures (audit, review, or specified procedures).
Reporting requirements — what must be communicated back to the group team.
Instructions regarding related-party transactions with other group entities.
Representation letter requirements.

Required communications from component auditors include:

Significant accounting and auditing matters arising during the component audit.
Identified or suspected fraud involving management, those charged with governance, or employees with a significant role in internal control.
Significant deficiencies or material weaknesses in internal controls.
Any factors indicating that the component auditor’s report may not be relied upon.

5.5 Evaluating Component Auditor Work

When the group engagement team relies on component auditors, it must evaluate whether the component work is sufficient and appropriate. Evaluation considerations:

Professional competence: Is the component auditor subject to professional oversight and standards equivalent to those applicable to the group engagement?
Independence: Is the component auditor independent of the component?
Quality of work: Does the component auditor’s documentation support the conclusions reached? Does the approach address the risks identified?
Communication quality: Are issues reported clearly and timely?

For higher-risk components, the group engagement team may need to:

Visit the component and review working papers directly.
Participate in risk assessment discussions.
Perform additional procedures to supplement component work.
Override component materiality with more conservative thresholds.

CPAB findings on group audits: CPAB inspection reports have consistently identified group audit oversight as a deficiency area for Canadian audit firms. Common findings include: insufficient review of component auditor working papers; failure to direct component auditors regarding identified significant risks; inadequate assessment of component auditor independence and professional standing; and reliance on management representations rather than direct evidence when consolidation adjustments are involved. These findings reinforce the importance of treating group audit coordination as a substantive quality matter, not an administrative one.

Chapter 6: Audit Sampling — Strategy and Methodology

6.1 Why Auditors Sample

Testing every transaction in a large population is rarely practicable or cost-effective. Audit sampling allows auditors to obtain evidence about characteristics of a population by examining a subset, then projecting conclusions to the full population.

CAS 530 (Audit Sampling) defines audit sampling as the application of audit procedures to less than 100% of items within a population of audit relevance such that all sampling units have a chance of selection, in order to provide a basis for conclusions about the entire population.

Two fundamental risk types flow from sampling:

Sampling risk: The risk that the auditor’s conclusion based on the sample differs from the conclusion that would be reached if the entire population were examined. Sampling risk is an inherent limitation of any sampling procedure and can only be eliminated by testing 100% of the population.
Non-sampling risk: The risk of reaching an incorrect conclusion for any reason not related to sampling — misapplying a procedure, misidentifying a deviation, or failing to recognize evidence. This is controlled through training, supervision, and quality control.

6.2 Statistical vs. Non-Statistical Sampling

Statistical sampling uses probability theory to:

Design a sample using random or systematic selection with calculable selection probabilities.
Measure sampling risk quantitatively.
Project sample results to the population with a specified confidence level.

Statistical sampling requires random selection (every item in the population has a known, non-zero probability of selection) and mathematical evaluation of results.

Non-statistical (judgmental) sampling relies on the auditor’s professional judgment for all sampling decisions. It is not inherently inferior — non-statistical sampling can be equally effective when exercised by experienced auditors — but it cannot provide quantified measures of sampling risk.

The choice between statistical and non-statistical sampling should be based on which approach is most efficient and effective given the circumstances, not on a blanket preference. In practice, large audit firms have developed statistical sampling tools that standardize the process while maintaining professional judgment.

6.3 Stratified Sampling

Stratified sampling divides a population into relatively homogeneous subgroups (strata) based on the value of the item and samples each stratum separately. This technique is particularly effective when a population has a skewed distribution — a few large items and many small items.

Benefits of stratification:

Allows 100% examination of high-value items (top stratum).
Reduces required sample size in lower strata by reducing variability within each stratum.
Allows risk-proportionate allocation of effort.

Stratified Sampling — Accounts Receivable

An auditor is testing the existence and valuation of accounts receivable with a year-end balance of $12.4 million. The population consists of 2,847 individual customer balances ranging from $500 to $487,000. Performance materiality is $150,000.

Stratification design:

Stratum 1 (>$150,000): 18 items, total $3.2 million — test 100%
Stratum 2 ($50,000–$150,000): 145 items, total $8.7 million — sample 40 items
Stratum 3 ($10,000–$50,000): 680 items, total $0.4 million — sample 25 items
Stratum 4 (<$10,000): 2,004 items, $0.1 million — rely on analytical procedures

This design ensures that all individually significant items are confirmed while sampling in lower strata provides evidence about the bulk of the remaining balance. The coverage achieved (3.2 + 8.7 = $11.9 million or 96% of the balance) is high despite testing only 183 of 2,847 items.

6.4 Monetary Unit Sampling (MUS)

Monetary unit sampling (also called probability-proportional-to-size sampling, or PPS sampling) is a statistical sampling technique particularly suited to tests of details for overstatement of account balances. Each dollar in the population has an equal probability of selection, meaning larger-valued items have a proportionally higher probability of being selected.

Key features of MUS:

Automatically stratifies the sample — large items are selected more frequently.
Provides a statistically defensible upper bound on total misstatement (the bound on misstatement).
Efficient when the auditor expects few or no misstatements in the population.
Not appropriate when understatement risk is the primary concern (since zero-balance items cannot be selected).

MUS procedure:

Define the population and determine the recorded balance (e.g., accounts receivable = $12,400,000).
Determine the sampling interval: $I = PM / RF$ where PM = performance materiality and RF = reliability factor based on desired confidence level.
- At 95% confidence (5% risk of incorrect acceptance), RF ≈ 3.0 for zero expected errors.
- Sampling interval: $150,000 / 3.0 = $50,000.
Determine sample size: $n = Population / I = \$12{,}400{,}000 / \$50{,}000 = 248$ items.
Select a random start within the first interval and select every $50,000th dollar thereafter (systematic selection through cumulative population values).
Test selected items (e.g., confirm with customers).

Evaluating MUS results:

If no misstatements are found, the upper misstatement bound equals: $PM = I \times RF = \$50{,}000 \times 3.0 = \$150{,}000$. This means the auditor can conclude with 95% confidence that total overstatement does not exceed $150,000 — which is below performance materiality.

If misstatements are found, the bound increases. Each error contributes to the projected misstatement, calculated as: $Error \times (I / Recorded~amount)$ for 100% errors, or with a taint factor for partial errors.

MUS Misstatement Evaluation

Continuing the above example (I = $50,000, n = 248, 95% confidence):

During testing, two misstatements are identified:

Item 1: Recorded amount $73,400; audited amount $55,050; misstatement = $18,350. Taint = 18,350/73,400 = 25%.
Item 2: Recorded amount $12,800; audited amount $0 (item does not exist); misstatement = $12,800. Taint = 100%.

Projected misstatement:

Item 1: 25% × $50,000 = $12,500
Item 2: 100% × $50,000 = $50,000
Total projected misstatement = $62,500

Incremental allowance for sampling risk (from MUS tables at 95% confidence with 2 errors):

With 2 expected errors, RF increases from 3.0 to approximately 5.33.
Upper misstatement bound = $50,000 × (5.33 − 2 × taint adjustments) ≈ complex calculation; using tables, UMB ≈ $194,000.

Since the upper misstatement bound ($194,000) exceeds performance materiality ($150,000), the auditor cannot conclude that misstatement is below tolerable levels and must extend testing, request adjustments, or both.

6.5 Classical Variables Sampling

Classical variables sampling (CVS) uses classical statistical theory (mean estimation or difference estimation) rather than dollar-unit selection. Unlike MUS, CVS can address both overstatement and understatement risk and is more appropriate when misstatements are expected to be frequent.

Difference estimation: The auditor estimates the total population misstatement based on the average difference between recorded and audited values in the sample:

\[ \hat{D} = \bar{d} \times N \]

where $\bar{d}$ is the mean difference in the sample and $N$ is the population count.

A confidence interval is calculated around $\hat{D}$ using the sample standard deviation, population size, and desired confidence level. The precision interval must be smaller than performance materiality for the result to be satisfactory.

CVS is more complex to apply than MUS and requires a larger sample when differences are variable. However, it provides a symmetric confidence interval (addressing both over- and understatement) that MUS cannot provide.

6.6 Haphazard vs. Systematic Selection

Haphazard selection: The auditor selects items without a deliberate pattern, attempting to approximate randomness. This is a non-statistical method and is acceptable when the auditor is confident the selection is representative and free from bias. However, haphazard selection is susceptible to unconscious patterns — auditors tend to avoid items that seem difficult or unusual.

Systematic selection (also called interval sampling): The auditor determines a sampling interval ($I = N/n$ for attribute sampling, or $I = Population~/~n$ for MUS) and selects every $I$th item after a random start. This is a random selection method when the population is not arranged in a pattern related to the characteristic being tested. The risk is that a pattern in the population (e.g., every 10th item is from a high-risk location) could systematically bias the sample.

Random selection (truly random): Each item in the population is assigned a number and a random number generator selects items. This is the gold standard for statistical validity but requires a numbered population.

Sequence (block) selection: Selecting items from contiguous blocks (e.g., all invoices from March). Generally not appropriate for audit sampling because it fails to provide adequate coverage and is not representative.

Chapter 7: Substantive Analytical Procedures

7.1 The Power and Limits of Analytical Procedures

Analytical procedures are evaluations of financial information through analysis of plausible relationships among both financial and non-financial data. They range from simple comparisons (current year vs. prior year) to sophisticated statistical models.

CAS 520 (Analytical Procedures) requires analytical procedures in:

Planning: To understand the entity and identify areas of potential risk.
Substantive procedures: As a substantive test of account balances and transactions.
Final review: To assess whether the financial statements as a whole are consistent with the auditor’s understanding of the entity.

The key distinction between analytical procedures used for risk assessment (which are not substantive procedures and cannot reduce tests of details) versus substantive analytical procedures (SAPs, which can provide substantive assurance and reduce tests of details) is critical to audit planning.

Substantive Analytical Procedure (SAP): An analytical procedure used as a substantive test — i.e., designed to detect material misstatements in account balances or transaction classes. For an SAP to be effective as a standalone procedure (without corroborating tests of details), it must meet high standards for precision and data reliability. Per CAS 520, the auditor must assess the suitability of the SAP for the assertion, the reliability of the data used, and whether the expectation is sufficiently precise to identify a material misstatement.

7.2 Developing a Precise Expectation

The effectiveness of an SAP depends critically on the precision of the expectation — how tightly the auditor can predict what the account balance should be. A vague expectation (e.g., “revenue should be about the same as last year”) will detect only very large misstatements. A precise expectation (e.g., “revenue from product line A in Q3 should be $4.3 million ± $200,000 based on unit sales volume × standard price”) can detect misstatements at or near performance materiality.

Factors affecting expectation precision:

Data reliability: Data from external, independent sources is more reliable than internally generated data. Using industry statistics, economic indicators, or confirmed third-party data strengthens the expectation.
Disaggregation: Expectations developed at a disaggregated level (by product line, region, or month) are more precise than aggregated totals. Revenue disaggregated to product × region × period is far more precise than total annual revenue.
Relationship strength: Relationships used in SAPs must be plausible, predictable, and documented. The relationship between number of hotel rooms occupied and room revenue is strong. The relationship between advertising expenditure and revenue is weaker and less precise.
Non-financial data: Using non-financial measures (units produced, occupancy rates, headcount) as predictors reduces the risk that the financial data itself is used to develop the expectation (which would be circular).

7.3 Investigating Differences

When an SAP reveals a difference between the auditor’s expectation and the recorded amount, the auditor must:

Assess the size of the difference relative to the precision threshold established at the planning stage. Differences within the expected range (precision) do not require investigation.
Inquire of management to obtain an explanation for differences outside the precision threshold. Management explanations must then be corroborated — an explanation that cannot be corroborated with independent evidence provides limited comfort.
Evaluate corroborating evidence: Documents, third-party data, or other audit evidence that supports (or refutes) management’s explanation.
Expand procedures if the explanation is unsatisfactory or the evidence insufficient.

SAP Design and Investigation — Payroll

An auditor designs a payroll SAP for a manufacturing company. The approach:

Expectation model: Total payroll = Headcount × Average compensation + Benefits cost ratio × Total salaries

Data sources:

Headcount: HR system (externally confirmed through payroll tax filings)
Average compensation: Prior year average + CBA-negotiated wage increase of 3.2%
Benefits ratio: Prior year ratio (stable at 18.5% of salaries for several years)

Expectation: $12.85 million ± $400,000 (precision = $400,000, below performance materiality of $650,000)

Recorded amount: $14.2 million — a difference of $1.35 million, well outside the precision threshold.

Investigation:

Management explains: acquired a new facility mid-year with 85 employees, increasing headcount from 340 to 425.
Corroboration: acquisition agreement confirms completion date; revised headcount in HR records confirmed; payroll tax T4 filings by employee number.
Revised expectation incorporating acquisition: $13.85 million.
Remaining unexplained difference: $350,000 — within precision.
Conclusion: SAP provides comfort subject to corroboration of the acquisition-related explanation.

7.4 Corroborating Evidence in Analytical Procedures

A key discipline in substantive analytical procedure execution is ensuring that management’s explanations for differences are genuinely corroborated — not merely accepted at face value. Common forms of corroborating evidence:

External data confirming the explanation (industry reports, economic statistics, public filings of related parties).
Documentary evidence of specific events (contracts, board minutes authorizing transactions).
Other audit evidence already obtained (physical counts, confirmation results).
Cross-checking internal explanations against multiple data sources to assess consistency.

Accepting management’s explanation without corroboration violates the principle of professional skepticism and represents a common SAP deficiency noted in CPAB inspections.

Chapter 8: Auditing Complex Accounting Estimates

8.1 Why Estimates Are High Risk

Financial statements contain numerous accounting estimates — amounts that cannot be determined precisely and must be approximated based on judgment, assumptions, and often uncertain future events. Examples include:

Allowance for expected credit losses (IFRS 9 ECL)
Fair value measurements for financial instruments (IFRS 13)
Goodwill impairment (IAS 36)
Provisions for litigation and restructuring (IAS 37)
Defined benefit pension obligations (IAS 19)
Revenue from long-term contracts (IFRS 15, percentage of completion)

Estimates are inherently uncertain and thus inherently susceptible to misstatement — whether through honest error, management bias, or deliberate manipulation. CAS 540 (Auditing Accounting Estimates and Related Disclosures) was substantially revised effective December 15, 2019, reflecting the IAASB’s recognition that existing guidance was inadequate for the complexity of modern financial reporting estimates.

CAS 540 (Revised): Establishes requirements and guidance for auditing accounting estimates. Key enhancements over the prior standard include: (1) a more structured approach to understanding how estimates are made; (2) explicit requirements to evaluate management's identification and response to estimation uncertainty; (3) stronger requirements around auditor skepticism when management's method, significant assumptions, or data are not supported by evidence; and (4) enhanced requirements for evaluating disclosures about estimation uncertainty.

8.2 Auditing Fair Value Measurements — IFRS 13

Fair value is the price that would be received to sell an asset or paid to transfer a liability in an orderly transaction between market participants at the measurement date (IFRS 13, paragraph 9). The fair value hierarchy classifies inputs used in valuation:

Level	Input Characteristics	Examples
Level 1	Quoted prices in active markets for identical assets or liabilities	Listed equity securities, exchange-traded futures
Level 2	Observable inputs other than Level 1 (quoted prices for similar assets, market-corroborated inputs)	Interest rate swaps (using observable yield curves), similar property values
Level 3	Unobservable inputs reflecting management’s own assumptions	Private equity investments, complex derivatives, intangible assets

Audit risk escalates as the level increases: Level 1 measurements are highly objective (verify the quoted price). Level 3 measurements depend entirely on management’s assumptions and are the highest inherent risk area in fair value auditing.

Audit procedures for fair value:

Understand the valuation technique: Is the method appropriate for the asset/liability type? Discounted cash flow (DCF), market approach, cost approach — each has conditions where it is appropriate.
Evaluate significant assumptions: Are discount rates, growth rates, exit multiples, or other key inputs reasonable? How sensitive is the fair value to changes in assumptions?
Develop an independent estimate (auditor’s range): The auditor may develop their own independent point estimate or range using alternative assumptions or an independent specialist. Management’s estimate is evaluated against the auditor’s range.
Evaluate disclosures: IFRS 13 requires extensive disclosure about Level 3 fair values, including sensitivity analysis. Are the disclosures complete and consistent with the audit evidence?

Level 3 Fair Value — Private Equity Investment

A fund manager reports a Level 3 investment at $48 million using a DCF model. Key assumptions: revenue growth rate 12%, EBITDA margin 28%, discount rate 14%, terminal growth rate 3%.

Audit procedures:

Inspect the investee’s most recent financial statements and management accounts — independently assess revenue growth and margins.
Benchmark discount rate against published industry WACC studies for comparable private companies.
Develop auditor’s DCF range using alternative assumptions: growth rate 9%–12%, margin 26%–28%, discount rate 14%–16%, terminal growth 2%–3%.
Auditor’s range: $38 million to $53 million. Management’s $48 million falls within the range — this does not mean $48 million is the “correct” value, but rather that it is not outside the range of reasonable estimates. The auditor evaluates whether $48 million is the best estimate within the range or whether management has selected the high end.
Assess disclosures: the notes must disclose the significant unobservable inputs and a sensitivity analysis showing the impact of reasonable changes in those inputs.

8.3 Auditing Expected Credit Losses — IFRS 9

IFRS 9 replaced IAS 39’s incurred loss model with an expected credit loss (ECL) model, which requires recognition of credit losses based on forward-looking estimates rather than waiting for loss events to occur. This shift significantly increased the judgment required in provisioning — and correspondingly increased the audit complexity.

The three-stage ECL model:

Stage 1: Financial instruments on initial recognition and those without significant increase in credit risk. ECL measured as 12-month ECL (losses from defaults expected within 12 months).
Stage 2: Instruments with significant increase in credit risk since initial recognition. ECL measured as lifetime ECL.
Stage 3: Credit-impaired instruments. ECL measured as lifetime ECL; interest income recognized on net carrying amount.

Key audit challenges in ECL:

Stage allocation: Has management correctly identified instruments that have experienced significant increases in credit risk (SICR)? Misclassifying Stage 2 instruments as Stage 1 understates the ECL provision.
Forward-looking information: ECL models must incorporate macroeconomic forecasts. Are the scenarios and their probability weightings reasonable? Is there management bias toward optimistic scenarios?
Model validation: Has the ECL model been independently validated? Are there backtesting results showing model accuracy?
Significant increase in credit risk indicators: Are the triggers for SICR transfer appropriately calibrated and consistently applied?
Qualitative adjustments (overlays): Has management made post-model adjustments? Are these adjustments documented, reasonable, and not simply used to reverse provisions that management finds inconvenient?

Bank ECL auditing — CPAB and PCAOB findings: Both CPAB and PCAOB have flagged ECL provisioning as a recurring area of audit deficiency for financial institution audits. Common deficiencies include: insufficient testing of management's assessment of SICR; inadequate evaluation of forward-looking macroeconomic scenarios; and over-reliance on management's model validation without independent assessment by the auditor. The systemic importance of ECL accuracy in bank financial statements means that ECL audit failures carry systemic financial stability implications beyond any individual audit engagement.

8.4 Management’s Point Estimate vs. the Auditor’s Range

CAS 540 provides three approaches to auditing estimates:

Test management’s process: Evaluate whether the method, significant assumptions, and data used are appropriate and reasonable. Audit management’s model directly.
Develop an independent estimate: The auditor (or the auditor’s specialist) independently estimates the fair value or other estimate, then compares to management’s estimate.
Review subsequent events: For some estimates, subsequent events may provide additional evidence about the reasonableness of the estimate at year-end.

When using approach 2, the auditor compares management’s point estimate to the auditor’s point estimate or range. If management’s estimate falls within the auditor’s range, the estimate is not necessarily wrong — but the auditor should evaluate whether the estimate is biased toward the top or bottom of the range. A pattern of management estimates consistently at the favorable extreme of any range constitutes evidence of management bias.

If management’s estimate falls outside the auditor’s range, the auditor must request a revision. If management refuses, the auditor must assess whether the resulting misstatement is material and consider its effect on the audit opinion.

Chapter 9: Going Concern

9.1 The Going Concern Assumption

Financial statements are prepared on the going concern basis — the assumption that the entity will continue operations for the foreseeable future (at least 12 months from the financial statement date or from the reporting date if later). If an entity is not a going concern, financial statements would be prepared on a liquidation basis (assets at net realizable value, liabilities at expected settlement amounts) — fundamentally different information.

CAS 570 (Going Concern) establishes the auditor’s responsibility to evaluate the appropriateness of management’s use of the going concern basis and to identify going concern uncertainty that requires disclosure or modification of the audit report.

9.2 Going Concern Indicators

Auditors consider indicators across financial and non-financial dimensions:

Financial indicators:

Net liability position or net current liability position.
Fixed-term borrowings approaching maturity without realistic refinancing prospects.
Indicators of withdrawal of financial support by creditors.
Negative operating cash flows indicated by historical or projected financial statements.
Adverse key financial ratios (debt coverage, liquidity ratios).
Substantial operating losses or significant deterioration in asset values used to generate cash flows.
Arrears or discontinuance of dividends.
Inability to pay creditors on due dates.

Operating indicators:

Management intentions to liquidate the entity or cease operations.
Loss of key management without replacement.
Loss of a major market, key customer, franchise, license, or principal supplier.
Labor difficulties.
Shortages of important supplies.
Emergence of a highly successful competitor.

Other indicators:

Non-compliance with capital or other statutory requirements.
Pending legal or regulatory proceedings against the entity that may, if successful, result in claims the entity could not satisfy.
Changes in law or regulation expected to adversely affect the entity.

9.3 Audit Response to Going Concern Risk

When indicators are identified:

Request management’s assessment: Management must evaluate the going concern assumption and identify any plans to address the concerns. The auditor reviews management’s assessment for completeness and reasonableness.
Evaluate mitigating factors: Are management’s plans (asset sales, refinancing, cost reductions, equity raising) feasible? Are there committed facilities or firm offers from lenders?
Obtain sufficient evidence: Test the assumptions underlying management’s cash flow projections. Compare assumptions to historical accuracy. Assess whether the planned time frame is achievable.
Consider the disclosure period: Going concern assessment covers at least 12 months from the financial statement date. The auditor considers events and conditions throughout this period, including events after the balance sheet date.

9.4 Audit Reporting for Going Concern

Situation	Report Modification
Going concern basis appropriate; adequate disclosure of material uncertainty	Unmodified opinion with Emphasis of Matter paragraph drawing attention to disclosure
Going concern basis appropriate; inadequate disclosure of material uncertainty	Qualified or adverse opinion (departure from GAAP in presentation)
Going concern basis inappropriate (entity is not a going concern)	Adverse opinion
Significant management judgment involved but not a material uncertainty	No modification required, but auditor considers whether Key Audit Matter paragraph is appropriate

Going Concern — Canadian Mining Company

A junior mining company has no operating revenues, cash of $1.2 million, monthly operating expenditures of $380,000, and long-term mineral rights as its primary asset. At the current burn rate, cash will be exhausted in 3.2 months. Management’s going concern assessment identifies the following mitigating plans: (1) a private placement of $3 million currently in discussion with a lead investor (no signed commitment); (2) a potential joint venture partner for the main mineral property (preliminary discussions only); (3) planned reduction in exploration expenditure.

Audit evaluation: The plans are not committed — no signed agreements, no board approvals from the investor. The private placement is subject to regulatory approval. The auditor cannot conclude that the mitigating plans are “virtually certain” to succeed. A material uncertainty related to going concern exists and must be disclosed.

Audit report: Unmodified opinion with a “Material Uncertainty Related to Going Concern” section (separate from Key Audit Matters) drawing attention to the disclosure in Note X, but not modifying the overall opinion since the going concern disclosure is adequate.

Chapter 10: Quality Management in Audit Practice

10.1 The Quality Management Framework

Audit quality is the foundation of the audit profession’s social license. The IAASB’s quality management standards — adopted in Canada as CSQM 1 and CSQM 2 — represent a fundamental paradigm shift from the earlier CSQC 1 approach: from a compliance-based checklist model to a risk-based quality management system (QMS).

CSQM 1 (Canadian Standard on Quality Management 1): Effective for periods beginning on or after December 15, 2022. Requires all audit and assurance firms to design, implement, and operate a system of quality management tailored to the nature and circumstances of the firm. The QMS addresses eight components: governance and leadership; relevant ethical requirements; acceptance and continuance; engagement performance; resources; information and communication; monitoring and remediation; and risk assessment process.

CSQM 2 (Canadian Standard on Quality Management 2): Establishes requirements for engagement quality reviews (EQR), including which engagements require an EQR, the qualifications of the engagement quality reviewer, and the reviewer's responsibilities. EQRs are mandatory for listed entity audits and may be required for other high-risk engagements.

10.2 The Risk-Based QMS under CSQM 1

The key innovation of CSQM 1 is the risk assessment process: firms must identify quality risks — the circumstances that create conditions in which quality objectives may not be achieved — and design and implement responses proportionate to those risks.

Quality objectives under CSQM 1 span eight components:

Governance and leadership: The firm’s culture and leadership set the tone for quality. Partners must model commitment to quality; compensation structures should not create incentives to compromise it.
Relevant ethical requirements: Independence, objectivity, and ethical conduct. The firm’s independence policies must address all applicable requirements (CPA Canada Code of Professional Conduct, securities regulations, PCAOB independence rules for registered firms).
Acceptance and continuance: The firm must only accept and continue client relationships and engagements where quality can be achieved. Acceptance decisions should consider client integrity, management’s attitude, and the firm’s competence to perform the work.
Engagement performance: Standards for how engagements are planned, supervised, and reviewed. Documentation requirements; procedures for addressing difficult or contentious matters; consultation processes.
Resources: Human resources (sufficient competent personnel), technological resources (audit tools, data analytics capabilities), and intellectual resources (methodologies, guidance, templates).
Information and communication: Systems for capturing and sharing information across the firm — including quality-related information that informs the QMS.
Monitoring and remediation: Ongoing assessment of whether the QMS is operating effectively; remediation of identified deficiencies. CSQM 1 requires annual monitoring, including inspection of completed engagements.
Risk assessment process: The overarching process by which quality risks are identified, assessed, and responded to — the engine of the risk-based QMS.

10.3 Engagement Quality Reviews

An Engagement Quality Review (EQR) is an objective evaluation of significant judgments made by the engagement team and the conclusions reached on the engagement. It is performed by a qualified reviewer who has not participated in the engagement.

Mandatory EQR engagements (under CSQM 2):

Audits of financial statements of listed entities.
Other engagements specified by the firm’s QMS as requiring EQR (typically based on risk criteria).
Engagements where law or regulation requires an EQR.

EQR responsibilities: The reviewer evaluates:

Significant risks identified and the engagement team’s responses.
Significant judgments made and conclusions reached, including the audit report.
Significant accounting and auditing matters identified during the engagement.
Consultations undertaken and whether conclusions are appropriate.
Sufficiency and appropriateness of the evidence supporting the conclusions.
Whether the proposed auditor’s report is appropriate.

The “engagement quality reviewer’s conclusion”: The reviewer must form an objective conclusion that significant judgments and the overall conclusions are appropriate before the engagement report is released. If the reviewer and engagement partner cannot reach agreement on a matter, the firm’s escalation process (typically involving a senior technical partner or committee) must be engaged.

10.4 PCAOB Standards and IAASB Convergence

Canada’s adoption of CAS (aligned with ISA) has broadly achieved convergence between Canadian and international audit standards. However, for public companies registered with the SEC and audited by PCAOB-registered firms, PCAOB standards apply — creating dual-standard considerations for Canadian auditors of SEC-registered entities.

Key PCAOB-CAS differences:

Area	PCAOB	CAS / ISA
Communications with audit committee	AS 1301 — specific requirements for pre-approval, communication of critical audit matters	CAS 260 — broadly similar but with differences in specifics
Critical audit matters (CAMs)	Required for large accelerated and accelerated filers	Key Audit Matters (KAMs) required for listed entities under ISA 701
Internal control over financial reporting	AS 2201 — integrated audit of ICFR required for large accelerated filers	No equivalent mandatory ICFR opinion under CAS
Audit documentation	AS 1215 — specific 45-day assembly period; 7-year retention	CAS 230 — similar but less prescriptive on timing
Fraud — brainstorming	AS 2401 — mandatory team discussion of fraud	CAS 240 — same requirement

The IAASB and PCAOB have been engaged in ongoing convergence efforts, particularly around audit evidence (AS 1105 / ISA 500), risk assessment (AS 2110 / CAS 315), and quality management. However, meaningful differences remain, particularly around mandatory ICFR reporting, which the IAASB has not required in its standards.

Chapter 11: Audit Data Analytics and Technology

11.1 The Analytics Revolution in Auditing

Audit data analytics (ADA) refers to the systematic computational analysis of large data sets to identify patterns, anomalies, or insights relevant to audit objectives. ADA has moved from an experimental specialty tool to a core component of audit methodology at major firms.

The transformative potential of ADA stems from one key shift: the ability to examine entire populations rather than samples. Traditional audit sampling is efficient but introduces sampling risk. ADA tools can ingest the full population of transactions and apply analytical tests to every item — eliminating sampling risk for that test.

ADA in the Standards: The CAS do not specifically address audit data analytics, but the fundamental standards (CAS 500 on audit evidence, CAS 520 on analytical procedures, CAS 530 on sampling) accommodate ADA within their existing frameworks. When ADA is used for full-population testing (rather than sampling), CAS 530 does not apply. When ADA generates expectations for analytical procedures, CAS 520 governs the evaluation. The IAASB has an ongoing project to develop guidance on ADA, recognizing that the existing standards were written in a pre-analytics era.

11.2 Journal Entry Testing with Analytics

Journal entry testing is one of the most impactful applications of ADA in financial statement audits. CAS 240 requires auditors to design and perform procedures to test the appropriateness of journal entries recorded in the general ledger and other adjustments made in the preparation of the financial statements.

Manual journal entry testing has historically been limited to samples of entries meeting risk criteria. ADA enables:

Full population extraction: All journal entries for the period (potentially millions of entries) are extracted from the GL system.
Automated risk stratification: Entries are classified by risk criteria — manual versus automated, entries made outside normal business hours, entries posted by unusual users or with unusual combinations of accounts, entries without supporting references, entries made on the last days of reporting periods.
Statistical anomaly detection: Benford’s Law analysis, clustering analysis, duplicate detection (same amount to same account on the same date).
Targeted follow-up: The auditor focuses investigation on the flagged entries — a much smaller population than the full set.

This approach is more comprehensive and more efficient than traditional sampling, provided the auditor:

Ensures the completeness of the journal entry population extracted (cannot miss entries).
Validates that the GL data is reliable before relying on it.
Applies professional judgment to evaluate the flagged entries — the tool identifies candidates for investigation, not conclusions.

11.3 Full-Population Testing vs. Sampling

When ADA enables full-population testing, the audit implications are significant:

Dimension	Traditional Sampling	Full-Population ADA
Coverage	Sample — typically 1%–5% of population	100% of population
Sampling risk	Present and must be managed	Eliminated
Non-sampling risk	Lower; limited procedures applied	Higher; auditor must exercise judgment on millions of data points
Fraud detection	Limited by sample coverage	Higher potential — unusual items can’t hide in untested transactions
Evidence quality	Depends on sample size and selection	High, provided data integrity is confirmed
Auditor documentation	Sample selection and results	ADA tool, parameters, and evaluation of flagged items

Full-population testing does not mean zero work — it means the effort shifts from sampling and extrapolation to data extraction, validation, parameter setting, and evaluation of flagged results.

11.4 Anomaly Detection and Machine Learning

Beyond rule-based ADA, machine learning algorithms offer the ability to identify patterns in data without explicit rules — potentially surfacing fraudulent patterns that auditors did not think to look for.

Unsupervised learning (clustering algorithms, isolation forests) identifies transactions that are statistically unusual relative to the broader population — high-dimensional outliers that would be invisible in one-dimensional analysis. For example, a transaction with an unusual combination of amount, timing, approving user, account combination, and customer may be flagged even if no single attribute is individually unusual.

Supervised learning (trained on labeled examples of fraudulent vs. legitimate transactions) can classify new transactions by probability of fraud. However, supervised models require substantial labeled training data — a challenge given that known fraudulent transactions are rare and often unrepresentative of novel fraud schemes.

Practical limitations of ML in audit:

Requires significant data volume to train and validate models.
Model outputs require interpretation — the auditor still exercises judgment on flagged items.
“Black box” models raise documentation and explainability concerns.
Models trained on historical patterns may not detect novel fraud.

11.5 Artificial Intelligence in Audit — Current Developments

AI applications in audit have expanded significantly with the development of large language models (LLMs) and sophisticated data analysis tools:

Contract review: AI tools can extract key terms from hundreds of contracts to support revenue recognition testing (identifying performance obligations, variable consideration, warranty terms).
Regulatory monitoring: AI can monitor regulatory changes and flag potential impact on audit clients.
Audit documentation review: LLMs can assist in reviewing draft working papers for completeness and consistency.
Risk identification: Natural language processing (NLP) applied to management’s discussion and analysis, earnings calls transcripts, and news sources can identify risk signals not visible in the financial statements alone.
Going concern assessment: Predictive models trained on historical going concern events can flag entities with elevated risk profiles.

Audit quality implications: AI tools require validation and oversight. An auditor who relies on AI output without understanding its basis and limitations is not exercising the professional judgment required by the CAS. Regulatory frameworks (CPAB, PCAOB) have not yet fully addressed AI in audit, but expect increased guidance as AI adoption accelerates.

The audit expectation gap and AI: Ironically, AI and ADA may widen the audit expectation gap before narrowing it. Users who observe that auditors now examine 100% of transactions using AI may expect that all fraud has been detected — misunderstanding that (1) full-population testing addresses only specific assertions and procedures, not all risks; (2) sophisticated fraud exploits data integrity rather than transaction-level anomalies; and (3) AI tools introduce their own reliability and bias risks that must be managed. Clear communication about the role and limitations of technology in the audit remains an important professional responsibility.

Chapter 12: Current Issues in Audit Strategy

12.1 The Audit Expectation Gap

The audit expectation gap — the difference between what auditors do and what the public believes they do — has existed since at least the 1970s but remains a persistent challenge. Three components have been identified in the literature:

Reasonableness gap: Some public expectations are inherently unreasonable given any feasible audit scope (e.g., guaranteeing 100% fraud detection). Education and communication can narrow this gap.
Performance gap: Auditors fail to perform work that current professional standards require. This is a quality failure, not a standards failure. CPAB and PCAOB inspections address this component.
Standards gap: Auditor responsibilities are insufficient relative to what reasonably informed users expect. This requires standards reform — expanding audit scope or clarifying limitations.

Expanded auditor reporting (Key Audit Matters under ISA 701/CAS 701, Critical Audit Matters under PCAOB AS 3101) represents an attempt to narrow the reasonableness gap by providing users with more insight into the audit process and the auditor’s focus areas.

12.2 Audit Reform Discussions in Canada and the UK

Canada: CPAB has been increasingly vocal about audit quality deficiencies, particularly at smaller public company auditors. The 2023 CPAB Annual Report identified significant inspection findings at 67% of the engagements reviewed at non-domestic firms. CPAB’s consultations on strengthening audit oversight, improving audit committee engagement, and addressing conflicts of interest in the audit model have generated ongoing discussion in the profession.

The Canadian Securities Administrators (CSA) have also engaged with questions around mandatory auditor rotation (periodic requirement to change audit firms) — a measure adopted in the EU (10-year maximum tenure, with public interest entity restrictions on non-audit services) but not in Canada or the US. Proponents argue mandatory rotation enhances independence; critics argue it sacrifices accumulated client knowledge without clear quality benefits.

United Kingdom: The UK’s Audit, Reporting and Governance Authority (ARGA) — successor to the Financial Reporting Council (FRC) — has pursued significant audit reform following the Carillion, BHS, and other high-profile failures. Key reforms include:

Audit firm operational separation: The major firms are required to operationally separate their audit practices from their consulting and advisory businesses by 2024, aimed at reducing conflicts of interest.
Joint audits and market concentration: The UK Competition and Markets Authority (CMA) examined the dominance of the Big Four in FTSE 350 audits and considered mandatory joint audits (requiring a smaller firm as co-auditor). While mandatory joint audits were not implemented, the discussion highlighted concerns about market concentration.
Resilience statements: Proposals to require companies to provide forward-looking resilience statements (including going concern assessments over a longer horizon than the current 12 months) would expand the scope of auditor assessment.

12.3 PCAOB and the US Regulatory Environment

The PCAOB has significantly increased enforcement activity under its post-2021 leadership, registering more enforcement actions and issuing more significant deficiency findings than in prior years. Key areas of PCAOB focus:

AS 2501 (Auditing Accounting Estimates): Updated guidance on applying professional skepticism to estimates, particularly in fair value and other complex estimate areas.
CAM communications: The PCAOB has studied whether Critical Audit Matter communications are providing meaningful information to investors or have become boilerplate. Research suggests that early CAM disclosures were informative but may be standardizing over time.
Cybersecurity and IT audit risks: PCAOB guidance on cybersecurity risk in auditing has expanded, reflecting the increasing relevance of cyber incidents to financial reporting (impairment, contingent liabilities, operational continuity).
Quality control: The PCAOB adopted a new quality control standard (QC 1000) effective December 15, 2025, broadly aligned with CSQM 1 but with PCAOB-specific elements.

12.4 ESG Assurance — Emerging Practice

Environmental, Social, and Governance (ESG) reporting has grown from voluntary disclosure to regulated requirement in many jurisdictions. In Canada, the CSA has proposed mandatory climate-related disclosure rules broadly aligned with IFRS S1 and S2 (the ISSB sustainability standards). In the US, the SEC adopted (and partially stayed pending litigation) climate disclosure rules in 2024.

Assurance over ESG information is distinct from financial statement auditing in several ways:

Criteria: While IFRS S1/S2 are converging, ESG criteria remain more diverse and less established than financial reporting frameworks.
Data reliability: Greenhouse gas emissions data, water usage, supply chain information — much of this data is estimated rather than transactionally recorded, with weaker underlying controls than financial data.
Practitioner competence: Financial statement auditors may not have expertise in environmental science, engineering, or social measurement required for credible ESG assurance.
Levels of assurance: Regulators and standard setters have proposed phased-in requirements — starting with limited assurance over some metrics and moving toward reasonable assurance over time.

CPA Canada and the IAASB are developing the ISSA 5000 standard — a new standard for sustainability assurance that would be applicable regardless of practitioner type (accountants or non-accountants). The standard is expected to be finalized and adopted in Canada in the near term.

Audit strategy implications of ESG: Even where ESG assurance is separate from the financial statement audit, ESG-related risks affect the financial audit. Climate-related physical risks affect asset impairment. Transition risks affect going concern and asset values. Carbon pricing affects cost structures. Greenwashing allegations create litigation contingencies. A sophisticated audit strategy for any entity with significant ESG exposure incorporates environmental and social risk into the entity understanding and risk assessment process.

12.5 Audit Quality Indicators and Transparency Reports

Audit quality indicators (AQIs) are quantitative measures intended to provide insight into the factors that drive audit quality. Developed by the PCAOB and CPA Canada, AQIs cover areas including:

Inputs: Partner and staff experience and workload; continuing professional education; specialist involvement.
Process: Restatement rates; internal inspection findings; peer review results; consultation frequency.
Outcomes: Regulatory inspection findings; enforcement actions; restatement frequency; going concern accuracy (did the auditor identify going concern issues before public default?).

Major audit firms in Canada publish transparency reports annually, disclosing information about their quality management systems, CPAB inspection results, and governance. These reports enable sophisticated users to assess audit quality across firms.

The development of meaningful AQIs remains a work in progress — many metrics that correlate with audit quality at the firm level are difficult to attribute to individual engagement quality, and firms have incentives to select and present favorable metrics.

Chapter 13: Integrated Audit Strategy — Bringing It All Together

13.1 From Risk Assessment to Audit Response

Effective audit strategy requires a coherent linkage from risk assessment to audit response — the identified risks must map directly to planned procedures. This linkage is the essence of risk-based auditing.

The linkage works as follows:

Identify significant risks at the assertion level (e.g., revenue — occurrence; inventory — existence and valuation; ECL provision — valuation and completeness).
Assess inherent risk for each significant risk (considering the nature of the account, management judgment involved, complexity of applicable standards, fraud risk factors).
Evaluate control design and implementation for controls that address the identified risks.
Assess control risk — is the auditor relying on controls (requiring tests of controls) or taking a primarily substantive approach?
Design substantive procedures proportionate to the remaining detection risk required — considering type (SAP vs. tests of details), timing (interim vs. year-end), and extent (sample size, threshold, coverage).

The integrated nature of this process means that changes in one element cascade through the others: if controls testing reveals unexpected weaknesses, control risk increases, detection risk must decrease, and substantive procedures must be expanded.

13.2 Documentation Requirements

Audit documentation serves two purposes: it supports the current engagement (forcing discipline in evidence gathering and evaluation) and it provides the evidential record if the audit is subsequently reviewed (by CPAB, a court, or a subsequent auditor).

CAS 230 (Audit Documentation) requires documentation of:

The nature, timing, and extent of audit procedures performed.
The results of those procedures and the audit evidence obtained.
Significant matters arising during the audit and the conclusions reached.
How the auditor addressed inconsistencies between significant items of audit evidence.

Significant judgment areas require particularly careful documentation: the reasoning behind conclusions, the alternatives considered and why they were rejected, and the evidence supporting the chosen position. The standard of documentation is the “experienced auditor” test — would an experienced auditor, with no prior knowledge of the engagement, be able to understand what was done, why, and what was concluded?

13.3 Audit Completion — Final Review and Evaluation

Before issuing the audit report, the engagement team performs a series of completion procedures:

Evaluate aggregate uncorrected misstatements: All identified misstatements above the clearly trivial threshold are compiled and their aggregate effect assessed. If aggregate uncorrected misstatements approach or exceed materiality, the auditor must request additional adjustments or modify the opinion.
Final analytical procedures: A broad review of the financial statements to assess whether they are consistent with the auditor’s understanding of the entity. Unexpected relationships at this stage may indicate undetected misstatements.
Consider subsequent events: Events between the balance sheet date and the audit report date are evaluated for their financial statement impact.
Obtain management representation letter: Written representations from management confirming their responsibility for the financial statements, their assessment of going concern, disclosure of known or suspected fraud, and other representations appropriate to the engagement.
Communication with those charged with governance (CAS 260): Required communication includes: the auditor’s responsibilities and planned scope; significant findings (including identified or suspected fraud, significant difficulties, significant unusual transactions, significant audit adjustments, and control deficiencies); and the auditor’s independence.
Engagement quality review: For listed entities and other qualifying engagements, the EQR must be completed before the audit report is released.

13.4 Key Audit Matters — Communication of Audit Judgment

Key Audit Matters (KAMs) — required under CAS 701 for audits of listed entities — are matters that, in the auditor’s professional judgment, were of most significance in the audit of the financial statements of the current period. They are selected from matters communicated with those charged with governance.

KAMs serve to communicate:

Which areas of the financial statements required the most significant auditor judgment.
What the risks were and why they were significant.
How the auditor addressed the risks — the nature, timing, and extent of key procedures and their results.

KAMs are not a substitute for a modified opinion — if there is an unresolved material misstatement, the auditor modifies the opinion; the KAM is used for matters where the audit work was sufficient to support the unmodified opinion, but the area was nonetheless significant.

Draft KAM — Complex Estimate (ECL Provision)

Expected Credit Losses on Loan Portfolio ($2.3 billion provision)

Why this matter was significant: The Bank’s loan portfolio of $38.4 billion is the most significant asset on the balance sheet, and the associated expected credit loss (ECL) provision involves significant management judgment. The ECL model incorporates forward-looking macroeconomic scenarios and requires management to assess, for each loan, whether there has been a significant increase in credit risk since origination (triggering a move from 12-month to lifetime ECL). Given the complexity of these judgments, the subjectivity of forward-looking macroeconomic inputs, and the materiality of the provision, we determined this to be a key audit matter.

How the matter was addressed: We evaluated the design and operating effectiveness of controls over the ECL process, including model validation, SICR assessment, and management overlay review. We engaged our valuation specialists to independently assess the appropriateness of the macroeconomic scenarios and probability weightings used by management. We tested a sample of individual loans to evaluate the accuracy of the SICR assessment. We compared the ECL model’s outputs to historical loss experience through backtesting. We evaluated the reasonableness of management overlays and their consistency with the supporting evidence. We assessed the adequacy of disclosures about key assumptions and estimation uncertainty.

Summary of Key Standards

Standard	Topic	Effective Date (Canada)
CAS 200	Overall objectives of the independent auditor	Active
CAS 240	Auditor’s responsibilities relating to fraud	Active
CAS 250	Consideration of laws and regulations	Active
CAS 260	Communication with those charged with governance	Active
CAS 300	Planning an audit of financial statements	Active
CAS 315 (Revised 2021)	Identifying and assessing risks of material misstatement	Dec 15, 2021 (early adoption)
CAS 320	Materiality in planning and performing an audit	Active
CAS 330	Auditor’s responses to assessed risks	Active
CAS 450	Evaluation of misstatements identified during the audit	Active
CAS 500	Audit evidence	Active
CAS 520	Analytical procedures	Active
CAS 530	Audit sampling	Active
CAS 540 (Revised 2019)	Auditing accounting estimates and related disclosures	Dec 15, 2020
CAS 550	Related parties	Active
CAS 570 (Revised)	Going concern	Active
CAS 600	Special considerations — audits of group financial statements	Active (Revised ISA 600 in progress)
CAS 620	Using the work of an auditor’s specialist	Active
CAS 700	Forming an opinion and reporting on financial statements	Active
CAS 701	Communicating key audit matters	Listed entities
CAS 705	Modifications to the opinion in the independent auditor’s report	Active
CAS 706	Emphasis of matter paragraphs and other matter paragraphs	Active
CSQM 1	Quality management for firms	Dec 15, 2022
CSQM 2	Engagement quality reviews	Dec 15, 2022