Our Audit Quality Assessment program is a two-pronged approach that includes file and quality management systems inspections. Each year, CPAB inspects all firms that audit 100 or more reporting issuers. We also inspect, at least every two years, firms with between 50 and 99 reporting issuer audits. Over three years, the majority of Canadian audit firms registered with CPAB are inspected. Many of the foreign firms are subject to oversight by other audit regulators in their jurisdiction. These firms are inspected periodically based on CPAB's risk analysis.
In preparing for each firm inspection, CPAB asks the audit firm for information related to the following six elements of quality control:
The inspection team evaluates the information provided considering the firm's Composite Risks, including prior inspection results, and determines the Elements to review. The team is particularly interested in process changes and, for annually inspected firms, maintains an evergreen document as a record of procedures in respect of each Element.
Individual file inspections results also help determine Elements to be examined. While the primary focus of inspections is on the quality of the audit work, as evidenced in the audit files, deficiencies identified may cause the inspector to look at aspects of the firm's quality control processes. For example, CPAB may ask to see performance evaluations and training taken by the staff on the engagement or if the RI is outside the audit firm's comfort zone, we may ask to see the client acceptance procedures that were performed.
For each individual file selected, CPAB asks the engagement team to prepare a profile outlining key metrics including the names of senior engagement team members, specialists used, the hours charged etc. It also identifies key engagement deliverables. The engagement profile is usually given to CPAB two weeks prior to the file inspection and provides the inspector an opportunity to get familiar with the RI and its issues prior to the initial meeting with the engagement team. The inspector will review publicly available information such as the financial statements and Management's Discussion and Analysis, as well as any file-specific information identified in or attached to the profile.
The file inspection typically begins with a meeting between the CPAB inspection and engagement teams. This provides CPAB with additional background on the audit engagement and includes a high-level discussion of the audit approach to the focus areas.
It is important to note that CPAB does not inspect the entire audit file (not a cover to cover review). Usually, inspectors consider between two and four focus areas as a basis for assessing the quality of audit work in a selected file. These areas are generally material high-risk financial statement items requiring more complex estimates and judgments (e.g., impairment of long-lived assets, fair values of financial instruments, provision for warranties etc.) by RI management and which present the most challenge to the engagement team. The inspection of an individual focus area covers the various stages of the audit process: planning, evaluation and reliance on internal controls, execution, evaluation of results, financial statement presentation and disclosure, and reporting to the audit committee. Core areas such as materiality, risk assessment and fraud are also reviewed for each file.
Public accounting firms must do more to fully embed audit quality, consistently. While most audits we inspect comply with the required standards, recurring engagement file inspection themes indicate that weaknesses in quality management systems persist, leading to inconsistent audit execution. Firm policies and processes − at both the leadership and engagement team levels − that manage risk and get the right people working on the right things at the right time, all the time, are essential to delivering high quality audits, consistently.
To help accelerate improvement, CPAB has evolved our audit oversight methodology (supplementary to our engagement file inspections) to assess the effectiveness of the QMS at the four largest firms. This quality assessment approach underscores the need for firms to systemically embed audit quality into ongoing operations across the entire assurance portfolio.
CPAB’s audit oversight methodology also includes assessing the effectiveness of the quality management systems at Canada’s the four largest public accounting firms. This quality assessment approach underscores the need for firms to systemically embed audit quality into ongoing operations across the entire assurance portfolio.
Before an inspector drafts a significant inspection finding, they confirm with the engagement team that CPAB has been provided all available audit evidence. This ensures that the inspector has all the facts before making a conclusion. The inspector also consults with other CPAB staff with expertise in the area in question, as appropriate, and then discusses the proposed finding with the inspection team leader.
Once the inspection team determines that a significant inspection finding has been identified, it is referred to a panel of CPAB executives for review. This serves as a quality control check and is intended to ensure consistent treatment of similar findings across all inspections. Once it is agreed that the matter is a significant inspection finding, the inspector documents the finding in writing in an Engagement Findings Report (EFR). The EFR is then reviewed and approved by the team leader and CPAB executives and presented to the engagement team.
CPAB usually expects to receive a firm's written response to a significant inspection finding within 10 business days.
In most cases, CPAB requires the engagement team to perform more audit work in the current year, to be satisfied there is not a material error in the financial statements that requires restatement. The engagement team must also provide CPAB with evidence and the results of the additional audit work undertaken. If it is decided that a restatement is necessary, CPAB requires the audit firm to advise the RI, including its audit committee. The inspection team follows up to make sure the restatement has occurred. In other cases, the disposition might require the engagement team to add considerable evidence to the audit file of the audit work that was performed but not evidenced in the audit file. Frequently, CPAB's dispositions will also require changes to the firm's audit approach going forward.
It is important to note that the audit firm is required to implement CPAB's recommendations and must do so in a timely manner. Failure to comply could lead to disciplinary action.
At the end of the firm inspection, CPAB meets with firm leadership to discuss the overall inspection results, then issues its inspection report (a private communication between CPAB and the firm). The inspection report includes a summary of findings and recommendations to improve audit quality.
Each firm shares their file-specific significant inspection findings, and CPAB's public inspections report, with their clients' audit committees as per their participation in the Protocol for Audit Firm Communication of CPAB Inspection Findings with Audit Committees (Protocol). The public report includes common inspections findings and questions for audit committee consideration to encourage more robust discussions among management, the firm and audit committees and to support audit committees in their oversight responsibilities.
The audit firm must implement the recommendations to CPAB's satisfaction within a prescribed period, which is typically no more than 180 days.
CPAB actively engages with firms throughout the inspections cycle to resolve issues as they arise during our reviews. Our Rules provide a robust framework of remediation and disciplinary mechanisms to address audit quality deficiencies at the firm and file levels. This allows us to respond quickly when we believe more work is required to support the audit opinion. For example, CPAB operates under the principle that, within 10 days of determining a file deficiency, we notify the firm; we then require their remediation plan within another 10 days. CPAB expects that firms will remediate file deficiencies before their reporting issuer’s next quarterly report or next audit committee meeting.
If a firm fails to improve, CPAB has the authority to impose discipline at three levels: Requirement, Restriction and Sanction. This can include publicly naming a firm and restricting it from auditing public companies and helps to ensure that firms act quickly and appropriately to resolve deficiencies. Finally, where CPAB imposes a disciplinary action related to a defect in the firm’s system of quality control, and the firm fails to address it to CPAB’s satisfaction within a specified time period, the firm must notify the audit committees of all its reporting issuers. As a general rule, CPAB begins with imposing a Requirement for the first instance of disciplinary action:
A firm may petition for a review proceeding in the following three scenarios: 1) when the board intends to make public the weaknesses, deficiencies and recommendations in the system of quality control, or deficiencies in specific engagements, not addressed or remedied to the satisfaction of the board; 2) when the board proposes to impose Requirements, Restrictions and Sanctions in the case of a Violation Event; 3) in connection with an application for membership not accepted by the board. Investigations may take place when the board considers that a Violation Event may have occurred, and it wishes to seek information and the cooperation of the firm with respect to such matters. A Violation Event is defined in CPAB’s Rules as: (i) an act or omission in violation of CPAB’s Rules or chartered professional accountant standards; (ii) a failure to supervise a person to prevent such violations, and the person has committed the act or omission; (iii) a failure to cooperate with the terms of an inspection or investigation; or (iv) a failure to comply with the terms of any Requirement, Restriction or Sanction imposed by CPAB.