Guideline on Recipient Audits Under the Policy on Transfer Payments and the Directive on Transfer Payments

A risk management model for transfer payments at the project or recipient level is a tool that identifies risk factors and risk ratings that can be used to assess the overall risk related to a particular recipient. It is recommended that the risk management model be applied prior to a funding agreement being signed with a recipient and re-applied throughout the duration of the agreement, as needed.

The risk management model (see partial illustrative example below) can include the following:

• Risk factors: Areas of risk developed with consideration of such items as performance risks (stated objectives of projects not achieved), financial risks (funding may not be used for intended purpose or reported accurately), and risk tolerances;³
• Risk assessment scale or risk rating: For each risk factor, the range of ratings for that risk factor based on assessment criteria;
• Assessment criteria: Conditions to be considered in assigning a relevant risk rating to a risk factor for a particular recipient;
• Weighting of risk factor: Value assigned to each risk factor in relation to overall risk score based on its relative importance or impact as compared with other risk factors;
• Overall risk score: Measure of overall risk related to a particular recipient based on the above four bullets (e.g., low to high); and
• Risk assessment scoring matrix: The overall risk level based on the overall risk score.

Based on the results from the risk management model at the project or recipient level, a risk-based plan for recipient audits at the program level can be developed by the departmental manager, as required. As per section 6.5.3 of the Directive on Transfer Payments, departmental managers are responsible for "determining when recipient audits are necessary to complement other departmental monitoring activities, and developing and executing a risk-based plan for these recipient audits."

Some departments may have in place a departmental-driven risk assessment and management system where the departmental manager inputs risk data related to a particular recipient and funding agreement. The system will advise the departmental manager on appropriate monitoring activities, including the need for a recipient audit. Alternatively, a department may have a more manual risk assessment and management system that departmental managers use at their discretion in determining appropriate monitoring activities for a recipient.

The output from the risk management model discussed in section 4.1 can be a risk mitigation strategy like the one shown below, which outlines suggested activities based on assessed risk. This strategy can help departmental managers prepare a program risk-based plan for recipient audits. The illustrative example below suggests that there be mandatory recipient audits for recipients that have been assessed as having an overall high-risk level⁴ and random selection⁵ for recipient audit of recipients that have low- to medium-risk levels.

In putting together a risk-based plan for recipient audits of a particular transfer payment program, the departmental manager should be clear on the plan's intent. In some cases, the intent may be to focus recipient audits on recipients where risks appear highest. Alternatively, or additionally, the departmental manager may wish to design the risk-based plan to allow general conclusions to be reached about recipient compliance across the program; this requires that a statistically valid sample of recipients be subject to audit.

In preparing risk-based plans, departmental managers are to use discretion if, in their judgment, a recipient audit should or should not be conducted (e.g., override of the departmental risk management model).⁶ A departmental manager may decide that a recipient audit is not necessary because reliable alternative sources of assurance may meet their needs, such as:

• A departmental "initial visit" to the recipient to reach a common understanding of the funding agreement and to clarify financial reporting and documentation expectations;
• Recent recipient audit(s) of the recipient for another departmental program or by another department with appropriate commonality;
• Representations⁷ by recipient officials;
• Representations by the recipient's external auditor;
• The recipient's audited financial statements;⁸
• Recipient reports or results that are better than anticipated, with appropriate evidence; 
• Internal audits conducted by the recipient; and
• Evaluations conducted by the department.

Departmental managers' risk-based plans at the program level may be useful for preparing a consolidated departmental level risk-based plan, if desired. Such a plan may help departments ensure a more coordinated approach for recipient audits of the same recipient. Appendix E illustrates a possible format of risk-based plans and highlights the need to properly document processes and decisions. 

Much of the material in sections 4.1 and 4.2 of this document related to risk management models has been drawn from Guidance on the Design and Application of Risk Management Tools for Grants & Contributions Projects, by the Interdepartmental Working Group on Grants and Contributions Risk Management.^[9] Another source of information on risk management models is the Treasury Board's Integrated Risk Management Framework. Due to the simplification of the material in sections 4.1.and 4.2, it is recommended that more detailed material, such as that referred to above, be considered before beginning a risk management project.

To conduct recipient audits, funding agreements need audit provisions.
Appendix G of the Directive on Transfer Payments identifies elements needed to establish the department's right to conduct recipient audits and to access the recipient's documents and premises. Specifically, it identifies the following:

• The minister's right to undertake a recipient audit to determine whether the recipient has complied with the funding agreement; and
• The minister's right of access to the recipient's documents and premises for the purpose of conducting an audit or monitoring compliance with the funding agreement.

Departments are reminded that the performance of recipient audits for transfer payments programs, other than contributions, require similar elements in funding agreements or some other legal basis. As well, recipient audit provisions are not always required in contributions agreements with other orders of government¹⁰ or with foreign recipients.  Funding agreements for grants normally do not have recipient audit provisions; however, these may be included where a department deems them appropriate.

With regard to access to the recipient's documents, a minimum period of right of access after the end of the funding agreement should be considered, at the discretion of departmental managers or at a higher program policy level. In such a case, the minister has right of access to documents related to the expired funding agreement (three to five years past the end of the funding agreement seems reasonable).

It is recommended that departments consult with departmental contracting and procurement staff and/or legal services to determine the precise wording for funding agreements in order to allow for recipient audits and right of access. 

The level of assurance is the degree of confidence that the departmental manager has in the conclusion of the recipient audit report. The level of assurance is linked to the nature of engagement conducted by the auditor. An audit provides high or reasonable assurance, whereas a review engagement provides moderate assurance.

In determining the appropriate level of assurance for a recipient audit, the departmental manager is to be guided by recipient risk as well as by an awareness of the nature of different types of engagements that an auditor can conduct. An audit engagement includes such procedures as inspection, observation, enquiry, confirmation, recalculation and analytical procedures. A review engagement consists primarily of enquiry, analytical procedures and discussion of information provided by the recipient, with the level of work being less extensive than for an audit.

For the same subject matter, an audit engagement can be expected to be more costly than a review engagement due to the greater level of work to achieve the higher level of assurance. Costs and benefits of higher assurance are to be considered as well as what is being audited. Non-financial clauses in funding agreements can be very costly to audit to a high assurance level. As well, it may not be possible to obtain a high assurance given the information available or the nature of the clause.

For a particular funding agreement and the clauses selected for a recipient audit, a departmental manager may decide that high assurance is needed for some clauses and moderate assurance for other clauses. The mechanics of such a recipient audit should be discussed in detail with the auditor.

Departmental managers have another option available to them: specified auditing procedures for which particular information may be sought regarding certain clauses in the funding agreement. The auditor simply performs specified auditing procedures as requested and specified by the departmental manager. Specified auditing procedures do not result in either an audit opinion¹¹ or negative assurance¹² but rather provide factual information about certain clauses in a funding agreement (e.g., timesheets were available to provide support for 9 of 10 claims sent to the department). In this way, the departmental manager may be able to confirm if there is a legitimate problem and adjust recipient monitoring accordingly.  

Within this guideline, the meaning of "recipient audit" and "audit" are different. "Recipient audit," as defined in the Directive on Transfer Payments, is an independent assessment to provide assurance on a recipient's compliance with a funding agreement. The scope of a recipient audit may address any or all financial and non-financial aspects of the funding agreement.

A "recipient audit" can be:

• An "audit" with high or reasonable assurance;
• A review engagement with moderate assurance; or
• Specified auditing procedures with no assurance.

It is up to the departmental manager to decide what a recipient audit means in any particular circumstance, based on assessed risk, desired level of assurance and cost-benefit considerations.

Departmental managers are to be aware of limitations that can apply to a recipient audit, such as:

• A recipient audit will not provide absolute assurance (the recipient audit cannot provide a 100-per-cent guarantee there will be no errors or omissions in the financial or non-financial information or compliance with a funding agreement).
• A lower level of assurance can be expected for non-financial clauses due to the inherent difficulty of assessing these types of clauses (assessment of compliance with non-financial clauses are more difficult due to their less objective nature).
• Fraud is more difficult to detect than errors due to efforts made to conceal fraud.
• An auditor very rarely reviews 100 per cent of the relevant financial transactions, and, in some cases, even representative sampling¹³ may not be performed.
• Internal controls have limitations (internal controls would likely not detect errors in judgment, collusion between individuals, management override, and inappropriate transactions or activities due to inability to properly segregate duties due to the size of an organization).
• Much of the evidence reviewed may be persuasive but not conclusive.

The scope of a recipient audit, standards used to conduct the recipient audit, and criteria for the recipient audit are key concepts for the departmental manager to understand. As per section 6.5.3 of the Directive on Transfer Payments, departmental managers are responsible for "determining the scope of recipient audits to be undertaken and the standards to be applied." In addition, as per section 6.5.4 of the Directive on Transfer Payments, the departmental manager is responsible for "communicating to the auditor the scope of the recipient audit to be undertaken, the standards to be followed and the nature of the report to be provided to the department."

The scope of a recipient audit refers to what is subject to audit. The scope referred to in sections 6.5.3 and 6.5.4 of the Directive on Transfer Payments refers to the scope of the recipient audit to be undertaken rather than the scope of the recipient audit report. For example, the scope of a recipient audit can be the claimed amounts (as defined in the terms and conditions of agreement XYZ) for the period April 30, 20XX, to September 30, 20XX. Conversely, the "scope" paragraph of a recipient audit report may describe the standards by which the recipient audit was conducted, the level of assurance and what is included in the recipient audit.¹⁴

The standards that may be used or may apply to a recipient audit are rules by which the auditor conducts the engagement. For example, the Canadian Institute of Chartered Accountants (CICA) has Canadian generally accepted auditing standards for audits, which include general, examination and reporting standards for various types of engagements. The CICA also has Canadian generally accepted standards for review engagements, which include general, review and reporting standards. The International Standards for the Professional Practice of Internal Auditing (IIA Standards) include attribute and performance standards as well as practice advisories for engagements. The material in this guidance document draws extensively from the CICA standards, which have been commonly used for recipient audits. However, other standards may be appropriate, depending on the anticipated engagement. It is recommended that the applicable standards used to conduct a recipient audit are referred to in both the agreement for recipient audit services and in the recipient audit report.

Departmental managers are expected to have some understanding of standards used by the auditor but not an in-depth knowledge of the standards themselves.¹⁵ Note that the CICA standards are currently in a transition phase. It is recommended that departmental managers seek the expertise of auditors in determining the appropriate standards to be used for recipient audits. It is the responsibility of the auditor to have an extensive knowledge of standards selected by the departmental manager and to conduct the recipient audit by said standards.

Criteria are used to assess financial or non-financial information against benchmarks. For example, in a financial statement audit, financial statements are audited to see if they are in accordance with generally accepted accounting principles. In the case of a recipient audit, financial or non-financial information is assessed to see if it is in accordance with a particular funding agreement between the department and the recipient. As needed, auditors may develop more detailed criteria related to clauses selected for review in the funding agreement. Depending on previous agreement, the departmental manager may be given the opportunity to review or approve the more detailed criteria before the recipient audit begins.

The purpose of a recipient audit report is for the auditor to express a conclusion on the subject matter for which the recipient is accountable to the department. The nature of the recipient audit report is generally dictated by the nature of the engagement and whether significant concerns have been identified during the engagement, including insufficient appropriate evidence. For example, an audit has a different style of report than a review engagement. If sufficient appropriate evidence is not available, the report will contain a reservation explaining the problem. As well, the nature of the report can vary depending on whether both financial and non-financial clauses of the funding agreement were reviewed during the engagement.

With the assistance of the auditor, departmental managers should consider including an agreed upon recipient audit report template in the agreement for audit services.¹⁶ This helps clarify the departmental manager's needs and avoid any misunderstanding about deliverables.

Departmental managers have several options for recipient audit reports. Some examples of recipient audit reports (by assurance levels) are shown in Appendix G.

Currently, departmental managers have the following options available when selecting an independent auditor for a recipient audit:

• Audit Services Canada (ASC);
• Professional Audit Support Services Supply Arrangement (PASS SA), Stream 8 (Recipient and contribution agreement audits); and/or
• A departmental recipient audit group.

ASC (formerly a component of Consulting and Audit Canada) is a special operating agency of the federal government that provides audit, assurance and audit-related services to federal departments and agencies. Departments can engage ASC through a memorandum of understanding that outlines services to be provided and the agreed upon fee.

The PASS SA is a method of procurement of audit and financial management services. The supply arrangement is expected to allow for a fast, efficient and streamlined approach to service procurement through an existing pre-qualified pool of service providers and its integration into the existing procurement system.

Departments without a dedicated recipient audit group have the choice of using either ASC or the PASS SA for their recipient audit needs. Departments may be able to engage services through means other than these two services if they demonstrate to Public Works and Government Services Canada that their needs cannot be met by either.

However, a department may have a dedicated departmental recipient audit group. This group should be staffed with indeterminate employees, with any additional staffing needs met by ASC or the PASS SA, as appropriate.

In all cases, recipient audit staff are to have sufficient expertise to conduct a recipient audit of both the financial and non-financial clauses in the funding agreement, as required. Section 6.2 of this guideline discusses the situation where the use of specialists is required for recipient audits.

Section 6.5.4 of the Directive on Transfer Payments states that the departmental manager is responsible for "selecting an independent auditor to undertake a recipient audit for the department." The term "independent auditor" is meant to imply that the auditor is independent of the recipient and that a conflict of interest, either actual or perceived, does not exist between the auditor and the recipient. The term "independent auditor" can also be interpreted to mean that the auditor is free of any bias toward program management or the department.

Currently, some departmental internal audit groups are conducting recipient audits. This practice is not encouraged, because recipient audits are not within the mandate of internal audit and because of concerns about the independence of internal auditors. The role of departmental internal audit groups is to provide professional review and assessment, independent of line management, of departmental risk management, control and governance processes. Internal audit personnel need to maintain their independence in order to audit the recipient monitoring process, which includes recipient audits. Departmental managers, however, should feel free to seek general advice from departmental internal auditors on recipient audit concepts, such as scope, standards and reports.

Departmental contracting and procurement staff should be consulted for up-to-date procurement options for recipient audit services, as appropriate.

Departmental managers may decide, in selecting the scope of a recipient audit, that both financial and non-financial clauses of the funding agreement should be included. The auditor may use the services of one or more specialists to ensure sufficient expertise to review all clauses selected (e.g., official languages, informatics). The departmental manager and the potential auditor should discuss the possible need for a specialist and, where appropriate, document this requirement in the agreement for recipient audit services.

The departmental manager is responsible for communicating to the recipient the planned recipient audit and the authority to perform the audit. The departmental manager should be sensitive to the needs or possible conflicts of the recipient when determining the appropriate timing for the recipient audit. This timing, of course, needs to be suitable for the recipient, the department and the auditor.

The departmental manager may also discuss with the recipient the following:

• The purpose of the recipient audit, i.e., an independent assessment to provide assurance on the recipient's compliance with the funding agreement;
• Who will be conducting the recipient audit;
• Responsibilities of the recipient during the audit (e.g., availability and completeness of financial and non-financial information subject to audit, information related to fraud and error, required written assertions related to the information, and assistance to the auditor); and
• Whether the recipient will have the opportunity to review and discuss recipient audit findings with the auditor or departmental manager and provide concurrence.

After the recipient is made aware of the upcoming audit by the departmental manager and an agreement for audit services has been signed (if applicable), the auditor can begin to communicate with the recipient for audit purposes.

The departmental manager should maintain contact with the auditor throughout the recipient audit process. As per section 6.5.4 of the Directive on Transfer Payments, the departmental manager is responsible for "communicating to the auditor the scope of the recipient audit to be undertaken, standards to be followed, and the nature of the report to be provided to the department." At the recipient audit planning stage, the departmental manager should advise the auditor of any areas of concern. Presumably, the scope of the recipient audit reflects these areas.

The departmental manager may want to be involved in the development and approval of more detailed criteria (as needed) related to clauses selected for review in the funding agreement.

The auditor should discuss with the departmental manager recipient audit findings and the draft recipient audit report before issuing the final report.

The first step of a recipient audit is recipient audit planning. Once an agreement for recipient audit services has been negotiated and signed, the auditor begins to plan the recipient audit. During the planning stage of a recipient audit, the auditor may review such items as the funding agreement, recipient claims and any previous recipient audits. The auditor may also meet with the department to discuss areas of concern. It is at this stage that the auditor may look at internal controls of the recipient related to the funding agreement. A review of internal controls related to the agreement may necessitate a visit to the recipient or can be done by other means, such as a questionnaire or enquiry.

Based on issues identified, the auditor determines the nature, extent and timing of additional recipient audit procedures. This is documented in a planning memorandum, which can include recipient audit objectives, recipient audit criteria, recipient audit programs and a sampling of transactions. A recipient audit objective is a general statement of the expected output of a recipient audit (e.g., to assess the compliance with a funding agreement). Recipient audit programs document specific steps that the auditor carries out to examine particular areas, such as direct material, salaries or labour expenses, overhead, etc. If applicable to the recipient audit, a sampling of transactions is the number of items in a population of transactions (e.g., direct material) that an auditor reviews.

The second step of a recipient audit is recipient audit execution. The recipient audit is conducted as per the planning memorandum with adjustments being made, if further issues become apparent during the recipient audit. Recipient audit programs are completed with sampled transactions reviewed (if reasonable or high assurance is required). Recipient audit work, including evidence related to any errors or observations, is documented in recipient audit files (e.g., working papers) at this stage to support the conclusion of the recipient audit.

The third step of a recipient audit is recipient audit reporting. After the execution of the recipient audit, the auditor prepares a recipient audit report. Some possible formats of the report are shown in Appendix G.

Recipient audit quality controls (RAQC) occur throughout all three steps above. RAQC are actions or procedures implemented by the recipient auditor to ensure that objectives of the engagement have been properly and adequately achieved. RAQC should be part of any recipient audit and should be in accordance with standards being used by the auditor.¹⁹ RAQC procedures in a recipient audit may include the following:

• Adequate recipient audit planning;
• Adequate competencies of the recipient audit team as well as proper supervision, as required;
• Review of engagement working papers for possible outstanding issues, adequacy of work and appropriateness of conclusions;
• Ethical requirements regarding independence of auditor, integrity and conflict of interest; and
• Possible review of engagement working papers by persons outside of the recipient audit team.