Audit and assurance coverage for engagement acceptance, criteria, standards, materiality, risks, procedures, evidence, reporting, and quality management.
Audit and assurance is the largest Assurance elective area. It asks the candidate to move from engagement purpose to risk assessment, criteria selection, procedure design, evidence evaluation, reporting, and communication. The strongest responses do not recite generic audit language. They explain what the practitioner should do next and why the fact pattern supports that response.
Exam emphasis: 50-70%.
flowchart LR
A["Engagement objective"] --> B["Users and criteria"]
B --> C["Risk assessment"]
C --> D["Procedure design"]
D --> E["Evidence evaluation"]
E --> F["Conclusion and communication"]
This chapter should be studied as an engagement judgment sequence. Early sections focus on understanding the entity, users, criteria, standards, and acceptance issues. Middle sections focus on materiality, risk assessment, procedures, IT, sampling, work performance, and documentation. Later sections focus on evidence evaluation, reporting, stakeholder communication, special engagements, control deficiencies, quality management, and repeat-engagement updates.
| Section | Main question | Study focus |
|---|---|---|
| 3.1 Entity Risk | How do operations, risks, controls, and monitoring shape the engagement? | Process understanding, risk mapping, control response, walkthroughs, monitoring, and remediation. |
| 3.2 Control Frameworks | How should control design, operation, and IT dependencies be evaluated? | Framework selection, design effectiveness, operating effectiveness, IT controls, and deficiency implications. |
| 3.3 Assurance Needs | What service best fits the users, decision, subject matter, and criteria? | Assurance level, engagement type, stakeholder requirements, non-assurance services, and report use. |
| 3.4 Standards Changes | How should a new standard, exposure draft, or trend change the engagement plan? | Scope, criteria, procedures, documentation, communication, and reporting updates. |
| 3.5 Acceptance & Ethics | Should the engagement be accepted or continued? | Independence, competence, resources, ethical threats, client integrity, and engagement letters. |
| 3.6 Criteria Selection | Are the criteria suitable for the subject matter and users? | Framework selection, criteria quality, management responsibility, and report limitations. |
| 3.7 Canadian Standards | Which Canadian assurance standard or engagement guideline fits the work? | Standard selection, engagement objective, user decision needs, and conclusion form. |
| 3.8 Materiality | What matters to users in this engagement? | Materiality, significance, qualitative factors, thresholds, and decision context. |
| 3.9 Risk Assessment | Where can material error, non-compliance, or unreliable subject matter arise? | Financial statement risk, assertion risk, transaction risk, balance risk, disclosure risk, and project risk. |
| 3.10 Procedure Design | What evidence should be obtained, when, and from whom? | Nature, timing, extent, source reliability, audit programs, and procedure alignment. |
| 3.11 IT, Sampling & Others | How do systems, samples, and others’ work affect the evidence plan? | IT environment, computer-assisted techniques, sampling, specialists, internal audit, and reliance decisions. |
| 3.12 Work Plan | How should planned work be performed and supervised? | Skepticism, due care, supervision, review, competence, and plan execution. |
| 3.13 Documentation | What should the working papers show? | Significant findings, risk assessment, procedures performed, evidence obtained, and conclusions reached. |
| 3.14 Evidence Evaluation | Is the evidence sufficient and appropriate? | Reliability, inconsistencies, exceptions, fraud indicators, further work, and unresolved matters. |
| 3.15 Conclusions & Reporting | What conclusion or report response is supportable? | Unadjusted errors, scope limits, fraud implications, report wording, and further evidence. |
| 3.16 Stakeholder Communication | Who must be told what, and in what form? | Management letters, audit committee communication, stakeholder reporting, and independence-sensitive recommendations. |
| 3.17 Special Engagements | How do non-routine assurance projects change the approach? | Value-for-money audits, program evaluations, operational audits, and comprehensive projects. |
| 3.18 Control Deficiencies | How serious is a control deficiency, and how should it be communicated? | Deficiency classification, improvement recommendations, compensating controls, and communication level. |
| 3.19 Quality Management | Was the engagement quality process adequate? | Quality management, engagement review, conclusion support, consultation, and documentation. |
| 3.20 Repeat Engagements | What changes when the practitioner returns to a recurring engagement? | Prior findings, changed circumstances, updated risk assessment, and revised procedures. |
Use every case fact to answer one of five questions:
| Trap | Better response |
|---|---|
| Writing generic audit language. | Tie the response to the actual engagement objective, users, criteria, and assurance level. |
| Naming a risk without a procedure. | Explain what evidence would respond to the risk. |
| Naming a procedure without a purpose. | State which risk, assertion, criterion, or conclusion the procedure addresses. |
| Finding an exception without a conclusion. | State whether more work, adjustment, communication, or report modification is needed. |