Guideline on Recipient Audits Under the Policy on Transfer Payments and the Directive on Transfer Payments

The purpose of this guideline is to assist departmental managers in meeting their responsibilities under the Policy on Transfer Payments and the Directive on Transfer Payments as they relate to recipient audits (see Appendix A for key excerpts from both the policy and directive). This guideline provides an overview of the recipient audit process and is a non-mandatory tool to assist departmental managers. Departmental managers are encouraged to share this guideline with their auditor to assist in planning and decision making related to a recipient audit.
Date modified: 2024-10-03

More information

Directive:

Policy:

Terminology:

Hierarchy

Archives

This or these guideline(s) replace:

View all inactive instruments
Print-friendly XML

1. Introduction

The purpose of this guideline is to assist departmental managers in meeting their responsibilities under the Policy on Transfer Payments and the Directive on Transfer Payments as they relate to recipient audits.Footnote 1 This guideline provides an overview of the recipient audit process and is a non-mandatory tool to assist departmental managers. Departmental managers are encouraged to share this guideline with their auditor to assist in planning and decision making related to a recipient audit.

Deputy heads’ responsibilities include ensuring cost-effective oversight and internal controlFootnote 2 to support the management of transfer payments. This oversight includes recipient monitoring, which includes recipient audits. Administrative requirements on recipients, including those related to recipient monitoring, are to be in proportion to the risk level. Recipient monitoring, reporting and auditing are to reflect risks specific to the program, the value of funding in relation to administrative costs and the risk profile of the recipient. Transfer payments are to be managed in a manner that is sensitive to risks, complexity, accountability for results and economic use of resources.

Recipient monitoring relates to activities undertaken or coordinated by a departmental manager to control risks related to a recipient and to ensure compliance with obligations and performance objectives in a funding agreement. Activities may include the following:

  • Confirming documentation from the recipient;
  • Contacting the recipient for monitoring purposes;
  • Assessing recipient reports (financial and performance) in a timely manner;
  • Reviewing project progress periodically;
  • Visiting the recipient on-site; and
  • Conducting a recipient audit.

It is expected that the level of monitoring increases proportionally with the importance or sensitivity, complexity and materiality of a program; the value of funding; and the risk profile of the recipient.

Departmental managers are responsible for determining when recipient audits are necessary to complement other departmental monitoring activities. They are also responsible for developing and executing a risk-based plan for these recipient audits.

When a recipient audit is necessary, a departmental manager is responsible for determining its scope, standards to be applied and the nature of the report to be provided to the department. The departmental manager is also responsible for communicating this information to the selected independent auditor. (Directive on Transfer Payments – Section 6.5)

As set out in section 7 of this guideline, departmental managers are strongly encouraged to coordinate recipient audits of a single recipient both within the department and, to the extent possible, with other departments, whenever feasible. This is consistent with recommendation 19 of the Independent Blue Ribbon Panel on Grant and Contribution Programs. See Appendix B for this and other recommendations relevant to recipient audits.

2. What Is and What Is Not a Recipient Audit?

A recipient audit is an independent assessment to provide assurance on a recipient’s compliance with a funding agreement. The scope of a recipient audit may address any or all financial and non-financial aspects of the funding agreement. The funding agreement is generally for a contribution; however, grant funding agreements may include recipient audit provisions, where a department deems them appropriate.

A recipient audit involves reviewing and possibly testing compliance with a funding agreement and may include the following:

  • Reviewing tasks performed by the recipient in conducting its activity, initiative or project;
  • Testing the validity of any reports submitted;
  • Assessing internal controls related to the funding agreement;
  • Reviewing eligibility of expenditures incurred by the recipient; and
  • Confirming that performance objectives defined in the funding agreement are being achieved.

The decision to conduct a recipient audit and its comprehensiveness is risk-based. This is discussed further in section 4, “Selection of Recipients for Recipient Audit,” and section 5.2, “Level of assurance-Audit, review engagement and specified auditing procedures.”

A recipient audit does not encompass other unrelated activities of the recipient, and it is not an audit of financial statements of the recipient that has a broader scope. The audit of the financial statements of the recipient is when the auditor expresses an opinion that the entity’s financial statements present fairly the balance sheet, the income statement, notes to the financial statements, etc. in all material or significant respects for the year just ended in accordance with the applicable accounting standards. A financial statement audit is not considered a good substitute for a recipient audit, because it does not generally indicate if costs reported or claimed by the recipient are in compliance with a particular funding agreement. However, a financial statement audit may contribute to the decision to conduct a recipient audit.

A recipient audit is also different from a departmental internal audit. The purpose of a departmental internal audit is to provide assurances on the effectiveness and adequacy of departmental risk management, control and governance processes. An example of a process that can be audited by internal audit personnel is the program management recipient monitoring process, which includes recipient audits performed for program management. Consequently, while it is recommended that internal audit personnel not perform recipient audits, they may audit the monitoring process performed by departmental managers.

See Appendix C of this Guideline for an overview of the different types of audits.

3. Benefits of Conducting a Recipient Audit

The benefits of conducting a recipient audit, when appropriate, are numerous. Recipient audits may:

  • Confirm that funds are or are not being used for intended purposes;
  • Confirm previously identified issues and the extent of the problem (e.g., poor cash management, weak governance, limited reporting);
  • Identify previously unknown risks with certain recipients, projects or initiatives that can lead to the departmental manager adjusting monitoring or funding agreements;
  • Provide additional useful information for decision making;
  • Act as a possible deterrent to recipient fraud or non-compliance with the funding agreement;
  • Complement the role of the internal audit function; and
  • Support the roles of the departmental audit committee and the chief financial officer.

4. Selection of Recipients for Recipient Audit

Selecting recipients for audit first requires an assessment of risk. Risk management of transfer payments can be viewed at several levels within a department. Integrated risk management is a method for managing overall risk within a department. This includes risk management at the grant and contribution program level as well as risk management at the project or recipient level . Risk management at all levels within a department should be integrated to allow for sharing and updating of risk information.

Please refer to the Framework for the Management of Risk and its companion document, Guide to Integrated Risk Management for more information on risk management.

At the project or recipient level, recipients are selected for audit after being assessed for risks by departmental managers (with assistance from program officers, as required) or as recommended to departmental managers for selection by other functional experts, such as the departmental evaluation group. Whatever means of recipient selection used, the departmental manager is to be satisfied that the overall monitoring, including recipient audit, is adequate.

This section focuses on risk management at the project or recipient level. 

4.1 Risk management model-Project or recipient level

A risk management model for transfer payments at the project or recipient level is a tool that identifies risk factors and risk ratings that can be used to assess the overall risk related to a particular recipient. It is recommended that the risk management model be applied prior to a funding agreement being signed with a recipient and re-applied throughout the duration of the agreement, as needed.

The risk management model (see partial illustrative example below) can include the following:

  • Risk factors: Areas of risk developed with consideration of such items as performance risks (stated objectives of projects not achieved), financial risks (funding may not be used for intended purpose or reported accurately), and risk tolerances;Footnote 3
  • Risk assessment scale or risk rating: For each risk factor, the range of ratings for that risk factor based on assessment criteria;
  • Assessment criteria: Conditions to be considered in assigning a relevant risk rating to a risk factor for a particular recipient;
  • Weighting of risk factor: Value assigned to each risk factor in relation to overall risk score based on its relative importance or impact as compared with other risk factors;
  • Overall risk score: Measure of overall risk related to a particular recipient based on the above four bullets (e.g., low to high); and
  • Risk assessment scoring matrix: The overall risk level based on the overall risk score.
Illustrative example
Risk Factor Risk Rating Assessment Criteria
Recipient’s capability of managing project High
  • Limited or no qualified team members
  • High staff turnover
  • Unclear roles and responsibilities
  • Limited or no internal capacity to recruit, train and retain appropriate personnel
Medium
  • Some qualified team members
  • Moderate staff turnover
  • Some clarity regarding roles and responsibilities
  • Some internal capacity to recruit, train and retain appropriate personnel
Low
  • Sufficient number of qualified team members
  • Low staff turnover
  • Clear roles and responsibilities
  • Strong internal capacity to recruit, train and retain appropriate personnel

4.2 Risk-based plans - Program and departmental levels

Based on the results from the risk management model at the project or recipient level, a risk-based plan for recipient audits at the program level can be developed by the departmental manager, as required. As per section 6.5.3 of the Directive on Transfer Payments, departmental managers are responsible for “determining when recipient audits are necessary to complement other departmental monitoring activities and developing and executing a risk-based plan for these recipient audits, including determining the scope of recipient audits to be undertaken and the standards to be applied.”

Some departments may have in place a departmental-driven risk assessment and management system where the departmental manager inputs risk data related to a particular recipient and funding agreement. The system will advise the departmental manager on appropriate monitoring activities, including the need for a recipient audit. Alternatively, a department may have a more manual risk assessment and management system that departmental managers use at their discretion in determining appropriate monitoring activities for a recipient.

The output from the risk management model discussed in section 4.1 above can be a risk mitigation strategy like the one shown below, which outlines suggested activities based on assessed risk. This strategy can help departmental managers prepare a program risk-based plan for recipient audits. The illustrative example below suggests that there be mandatory recipient audits for recipients that have been assessed as having an overall high-risk levelFootnote 4 and random selectionFootnote 5 for recipient audit of recipients that have low- to medium-risk levels.

Illustrative example of possible mitigation strategy for low-, medium- and high-risk levels
Activity Risk Level
Low Medium High
Cash management Advances permitted based on recipient need Advances permitted based on recipient need Advances permitted based on recipient need
Recipient reporting (financial and performance) Minimum annually Minimum quarterly Minimum monthly
General review of recipient reports Annually or semi-annually Quarterly Monthly
Detailed review of recipient reports, on-site or with additional documentation As required, minimum annually As required, minimum twice annually As required, minimum quarterly
Periodic review of project progress Annually or semi-annually Twice annually Quarterly
Recipient audit By random selection By random selection Mandatory

In putting together a risk-based plan for recipient audits of a particular transfer payment program, the departmental manager should be clear on the plan’s intent. In some cases, the intent may be to focus recipient audits on recipients where risks appear highest. Alternatively, or additionally, the departmental manager may wish to design the risk-based plan to allow general conclusions to be reached about recipient compliance across the program; this requires that a statistically valid sample of recipients be subject to audit.

In preparing risk-based plans, departmental managers are to use discretion if, in their judgment, a recipient audit should or should not be conducted (e.g., override of the departmental risk management model).Footnote 6 A departmental manager may decide that a recipient audit is not necessary because reliable alternative sources of assurance may meet their needs, such as:

  • A departmental “initial visit” to the recipient to reach a common understanding of the funding agreement and to clarify financial reporting and documentation expectations;
  • Recent recipient audit(s) of the recipient for another departmental program or by another department with appropriate commonality;
  • RepresentationsFootnote 7 by recipient officials;
  • Representations by the recipient’s external auditor;
  • The recipient’s audited financial statements;Footnote 8
  • Recipient reports or results that are better than anticipated, with appropriate evidence; 
  • Internal audits conducted by the recipient; and
  • Evaluations conducted by the department.

Departmental managers’ risk-based plans at the program level may be useful for preparing a consolidated departmental level risk-based plan, if desired. Such a plan may help departments ensure a more coordinated approach for recipient audits of the same recipient. Appendix D illustrates a possible format of risk-based plans and highlights the need to properly document processes and decisions. 

Please refer to:  Framework for the Management of Risk and its companion document, Guide to Integrated Risk Management  for additional information.

Due to the simplification of the material in sections 4.1.and 4.2, it is recommended that more detailed material, such as that referred to above, be considered before beginning a risk management project.

5. Recipient Audit Parameters

Recipient audit parameters are the elements that need to be decided upon by the departmental manager before a department negotiates and signs an agreement for recipient audit services. These parameters are discussed in sections 5.1 to 5.5.

5.1 Establishing audit provisions in funding agreements

To conduct recipient audits, funding agreements need audit provisions.

Appendix G - Funding Agreement Provisions for Contributions of the Directive on Transfer Payments identifies elements needed to establish the minister’s right to conduct a recipient audit and to access the recipient’s documents and premises. Specifically, Appendix G - sections 13 and 14 identifies the following:

  • The minister’s right to undertake a recipient audit to determine whether the recipient has complied with the funding agreement; and
  • The minister’s right of access to the recipient’s documents and premises for the purpose of conducting an audit or monitoring compliance with the funding agreement.

Departments are reminded that the performance of recipient audits for transfer payments programs, other than contributions, require similar elements in funding agreements or some other legal basis. As well, recipient audit provisions are not always required in contribution agreements with other orders of governmentFootnote 9 or with foreign recipients.  Funding agreements for grants normally do not have recipient audit provisions; however, these may be included where a department deems them appropriate.

With regard to access to the recipient’s documents, a minimum period of right of access after the end of the funding agreement should be considered, at the discretion of departmental managers or at a higher program policy level. In such a case, the minister has right of access to documents related to the expired funding agreement (three to five years past the end of the funding agreement seems reasonable).

It is recommended that departments consult with departmental contracting and procurement staff and/or legal services to determine the precise wording for funding agreements in order to allow for recipient audits and right of access. 

5.2 Level of assurance-Audit, review engagement and specified auditing procedures

The level of assurance is the degree of confidence that the departmental manager has in the conclusion of the recipient audit report. The level of assurance is linked to the nature of engagement conducted by the auditor. An audit provides high or reasonable assurance, whereas a review engagement provides moderate assurance.

In determining the appropriate level of assurance for a recipient audit, the departmental manager is to be guided by the risk profile of the recipient as well as by an awareness of the nature of different types of engagements that an auditor can conduct. An audit engagement includes such procedures as inspection, observation, enquiry, confirmation, recalculation and analytical procedures. A review engagement consists primarily of enquiry, analytical procedures and discussion of information provided by the recipient, with the level of work being less extensive than for an audit.

For the same subject matter, an audit engagement can be expected to be more costly than a review engagement due to the greater level of work to achieve the higher level of assurance. Costs and benefits of higher assurance are to be considered as well as what is being audited. Non-financial clauses in funding agreements can be very costly to audit to a high assurance level. As well, it may not be possible to obtain a high assurance given the information available or the nature of the clause.

For a particular funding agreement and the clauses selected for a recipient audit, a departmental manager may decide that high assurance is needed for some clauses and moderate assurance for other clauses. The mechanics of such a recipient audit should be discussed in detail with the auditor.

Departmental managers have another option available to them: specified auditing procedures for which particular information may be sought regarding certain clauses in the funding agreement. The auditor simply performs specified auditing procedures as requested and specified by the departmental manager. Specified auditing procedures do not result in either an audit opinionFootnote 10 or negative assuranceFootnote 11 but rather provide factual information about certain clauses in a funding agreement (e.g., timesheets were available to provide support for 9 of 10 claims sent to the department). In this way, the departmental manager may be able to confirm if there is a legitimate problem and adjust recipient monitoring accordingly.

Within this guideline, the meaning of “recipient audit” and “audit” are different. “Recipient audit,” as defined in the Directive on Transfer Payments, is an independent assessment to provide assurance on a recipient’s compliance with a funding agreement. The scope of a recipient audit may address any or all financial and non-financial aspects of the funding agreement.

A “recipient audit” can be:

  • An “audit” with high or reasonable assurance;
  • A review engagement with moderate assurance; or
  • Specified auditing procedures with no assurance.

It is up to the departmental manager to decide what a recipient audit means in any particular circumstance, based on assessed risk, desired level of assurance and cost-benefit considerations.

5.3 Limitations of a recipient audit

Departmental managers are to be aware of limitations that can apply to a recipient audit, such as:

  • A recipient audit will not provide absolute assurance (the recipient audit cannot provide a 100-per-cent guarantee there will be no errors or omissions in the financial or non-financial information or compliance with a funding agreement).
  • A lower level of assurance can be expected for non-financial clauses due to the inherent difficulty of assessing these types of clauses (assessment of compliance with non-financial clauses are more difficult due to their less objective nature).
  • Fraud is more difficult to detect than errors due to efforts made to conceal fraud.
  • An auditor very rarely reviews 100 per cent of the relevant financial transactions, and, in some cases, even representative samplingFootnote 12 may not be performed.
  • Internal controls have limitations (internal controls would likely not detect errors in judgment, collusion between individuals, management override, and inappropriate transactions or activities due to inability to properly segregate duties due to the size of an organization).
  • Much of the evidence reviewed may be persuasive but not conclusive.

5.4 Scope, standards and criteria

The scope of a recipient audit, standards used to conduct the recipient audit, and criteria for the recipient audit are key concepts for the departmental manager to understand. As per section 6.5.3 of the Directive on Transfer Payments, departmental managers are responsible for “determining the scope of recipient audits to be undertaken and the standards to be applied.” In addition, as per section 6.5.4 of the Directive on Transfer Payments, the departmental manager is responsible for “communicating to the auditor the scope of the recipient audit to be undertaken, the standards to be followed and the nature of the report to be provided to the department.”

The scope of a recipient audit refers to what is subject to audit. The scope referred to in sections 6.5.3 and 6.5.4 of the Directive on Transfer Payments refers to the scope of the recipient audit to be undertaken rather than the scope of the recipient audit report. For example, the scope of a recipient audit can be the claimed amounts (as defined in the terms and conditions of agreement XYZ) for the period April 30, 20XX, to September 30, 20XX. Conversely, the “scope” paragraph of a recipient audit report may describe the standards by which the recipient audit was conducted, the level of assurance and what is included in the recipient audit.Footnote 13

The standards that may be used or may apply to a recipient audit are rules by which the auditor conducts the engagement. For example, the Chartered Professional Accountants (CPA) Canada has, for example, Canadian Auditing Standards (CASs) for audits, which include general, examination and reporting standards for various types of engagements. CPA Canada also has standards for review engagements, which include general, review and reporting standards. Canadian auditing standards (CAS).

The International Standards for the Professional Practice of Internal Auditing (IIA Standards) include attribute and performance standards as well as practice advisories for engagements. The material in this guidance document draws extensively from the CPA Canada CASs, which have been commonly used for recipient audits. However, other standards may be appropriate, depending on the anticipated engagement. It is recommended that the applicable standards used to conduct a recipient audit are referred to in both the agreement for recipient audit services and in the recipient audit report.

Departmental managers are expected to have some understanding of standards used by the auditor but not an in-depth knowledge of the standards themselves.Footnote 14 It is recommended that departmental managers seek the expertise of auditors in determining the appropriate standards to be used for recipient audits. It is the responsibility of the auditor to have an extensive knowledge of standards selected by the departmental manager and to conduct the recipient audit by said standards.

Criteria are used to assess financial or non-financial information against benchmarks. For example, in a financial statement audit, financial statements are audited to see if they are in accordance with auditing principles as outlined in the CPA Canada Handbook. In the case of a recipient audit, financial or non-financial information is assessed to see if it is in accordance with a particular funding agreement between the department and the recipient. As needed, auditors may develop more detailed criteria related to clauses selected for review in the funding agreement. Depending on previous agreement, the departmental manager may be given the opportunity to review or approve the more detailed criteria before the recipient audit begins.

5.5 Recipient audit report

The purpose of a recipient audit report is for the auditor to express a conclusion on the subject matter for which the recipient is accountable to the department. The nature of the recipient audit report is generally dictated by the nature of the engagement and whether significant concerns have been identified during the engagement, including insufficient appropriate evidence. For example, an audit has a different style of report than a review engagement. If sufficient appropriate evidence is not available, the report will contain a reservation explaining the problem. As well, the nature of the report can vary depending on whether both financial and non-financial clauses of the funding agreement were reviewed during the engagement.

With the assistance of the auditor, departmental managers should consider including an agreed upon recipient audit report template in the agreement for audit services.Footnote 15 This helps clarify the departmental manager’s needs and avoid any misunderstanding about deliverables.

Departmental managers have several options for recipient audit reports. Some examples of recipient audit reports (by assurance levels) are shown below in Appendix F.

6. Auditors and Specialists

6.1 Selection of auditors

Currently, departmental managers have the following options available when selecting an independent auditor for a recipient audit:

  • Professional Audit Support Services Supply Arrangement (PASS-SA) ; and/or
  • An internal departmental recipient audit group.

The PASS-SA is a method of procurement of audit and financial management services. The supply arrangement is expected to allow for a fast, efficient and streamlined approach to service procurement through an existing pre-qualified pool of service providers and its integration into the existing procurement system.

A department may have an internal departmental recipient audit group. This group should be staffed with indeterminate employees, with any additional resource needs met by an outside firm.

In all cases, recipient audit staff are to have sufficient expertise to conduct a recipient audit of both the financial and non-financial clauses in the funding agreement, as required. Section 6.2 of this guideline discusses the situation where the use of specialists is required for recipient audits.

Section 6.5.4 of the Directive on Transfer Payments states that the departmental manager is responsible for “selecting an independent auditor to undertake a recipient audit for the department.” The term “independent auditor” is meant to imply that the auditor is independent of the recipient and that a conflict of interest, either actual or perceived, does not exist between the auditor and the recipient. The term “independent auditor” can also be interpreted to mean that the auditor is free of any bias toward program management or the department.

Currently, some departmental internal audit groups are conducting recipient audits. This practice is not encouraged, because recipient audits are not within the mandate of internal audit and because of concerns about the independence of internal auditors. The role of departmental internal audit groups is to provide professional review and assessment, independent of line management, of departmental risk management, control and governance processes. Internal audit personnel need to maintain their independence in order to audit the recipient monitoring process, which includes recipient audits. Departmental managers, however, should feel free to seek general advice from departmental internal auditors on recipient audit concepts, such as scope, standards and reports.

Departmental contracting and procurement staff should be consulted for up-to-date procurement options for recipient audit services, as appropriate.

6.2 Use of specialist by the auditorFootnote 16

Departmental managers may decide, in selecting the scope of a recipient audit, that both financial and non-financial clauses of the funding agreement should be included. The auditor may use the services of one or more specialists to ensure sufficient expertise to review all clauses selected (e.g., official languages, informatics). The departmental manager and the potential auditor should discuss the possible need for a specialist and, where appropriate, document this requirement in the agreement for recipient audit services.

7. Single Recipient Audit

A single recipient auditFootnote 17 is a coordinated approach to recipient auditing whereby an auditor representing some or all donors conducts a single recipient audit of a common recipient to verify compliance with terms and conditions of some or all funding agreements with that particular recipient. Section 6.5.5 of the Directive on Transfer Payments encourages single recipient audits within departments and with other departments, where feasible.  

As a starting point to coordinating single recipient audits, departments need a comprehensive list of recipients by program and some indication of the risk level. Departments have at least four options that can be helpful in providing this information:

  • Recipient information from the departmental risk management model, as discussed in section 4.1 of this document;
  • Public Services and Procurement Canada (PSPC) makes available on its website unpublished detailed information by fiscal year relating to Section 6, Transfer Payments, of Volume III of the Public Accounts of Canada. Section 6 presents, by department and for each class of recipient, a detailed list, where applicable, of payments (i.e., cash and accrued charges) aggregating to $100,000 or more to a recipient. This list shows the name and location of the recipient, with the amount paid;
  • Proactive publication information, available on Open Government Portal, indicates each grant and contribution awarded in the previous quarter. Proactive publication information indicates the recipient, recipient location, date of award, value of award, type of transfer payment and purpose; and
  • A department may try to promote the benefits of a single recipient audit with a recipient and ask the recipient to indicate other programs or other associated departments with which it is dealing. With the recipient’s agreement, the department then contacts other departments or programs and suggests the possibility of a single recipient audit.

An assessment of costs and benefits of coordinating a single recipient audit should be conducted before proceeding with a collaborative approach to auditing (both within and among departments). As well, departmental managers should assess how many and how much of the funding agreements with any one recipient should be audited based on an assessment of risk. The departmental Centre of Expertise for transfer payments, should it exist, may assist in the facilitation and co-ordination of single recipient audits.

Other issues that need to be considered when assessing the feasibility of a single audit include the following:

  • A possible process for shared audits within or between departments;
  • The impact on the recipient’s operations;
  • Privacy concerns regarding sharing reports; and
  • Element(s) in funding agreements for shared audits.

8. Agreement Between the Department and the Auditor for Recipient Audit Services

In cases where departments are not using an internal departmental recipient audit group to conduct recipient audits but rather seeking the services of ASC or those available through the PASS-SA, an agreement for recipient audit services is necessary. Appendix G lists suggested sections to be included in an agreement for recipient audit services with references to sections in this guideline, where relevant. This is not a comprehensive listing. It is recommended that departmental managers work with contracting and procurement staff in developing any agreement for recipient audit services.

Sections 8.1 to 8.2 discuss sections in the agreement for recipient audit services not covered elsewhere in this guide.

8.1 Communications between the department and the recipient

The departmental manager is responsible for communicating to the recipient the planned recipient audit and the authority to perform the audit. The departmental manager should be sensitive to the needs or possible conflicts of the recipient when determining the appropriate timing for the recipient audit. This timing, of course, needs to be suitable for the recipient, the department and the auditor.

The departmental manager may also discuss with the recipient the following:

  • The purpose of the recipient audit, i.e., an independent assessment to provide assurance on the recipient’s compliance with the funding agreement;
  • Who will be conducting the recipient audit;
  • Responsibilities of the recipient during the audit (e.g., availability and completeness of financial and non-financial information subject to audit, information related to fraud and error, required written assertions related to the information, and assistance to the auditor); and
  • Whether the recipient will have the opportunity to review and discuss recipient audit findings with the auditor or departmental manager and provide concurrence.

After the recipient is made aware of the upcoming audit by the departmental manager and an agreement for audit services has been signed (if applicable), the auditor can begin to communicate with the recipient for audit purposes.

8.2 Communications between the department and the auditor

The departmental manager should maintain contact with the auditor throughout the recipient audit process. As per section 6.5.4 of the Directive on Transfer Payments, the departmental manager is responsible for “communicating to the auditor the scope of the recipient audit to be undertaken, standards to be followed, and the nature of the report to be provided to the department.” At the recipient audit planning stage, the departmental manager should advise the auditor of any areas of concern. Presumably, the scope of the recipient audit reflects these areas.

The departmental manager may want to be involved in the development and approval of more detailed criteria (as needed) related to clauses selected for review in the funding agreement.

The auditor should discuss with the departmental manager recipient audit findings and the draft recipient audit report before issuing the final report.

9. Recipient Audit Process

The recipient audit process generally has three stages: recipient audit planning, execution and reporting. Recipient audit quality control should occur throughout all three stages. These stages are discussed below.

9.1 Recipient audit planning

The first step of a recipient audit is recipient audit planning. Once an agreement for recipient audit services has been negotiated and signed, the auditor begins to plan the recipient audit. During the planning stage of a recipient audit, the auditor may review such items as the funding agreement, recipient claims and any previous recipient audits. The auditor may also meet with the department to discuss areas of concern. It is at this stage that the auditor may look at internal controls of the recipient related to the funding agreement. A review of internal controls related to the agreement may necessitate a visit to the recipient or can be done by other means, such as a questionnaire or enquiry.

Based on issues identified, the auditor determines the nature, extent and timing of additional recipient audit procedures. This is documented in a planning memorandum, which can include recipient audit objectives, recipient audit criteria, recipient audit programs and a sampling of transactions. A recipient audit objective is a general statement of the expected output of a recipient audit (e.g., to assess the compliance with a funding agreement). Recipient audit programs document specific steps that the auditor carries out to examine particular areas, such as direct material, salaries or labour expenses, overhead, etc. If applicable to the recipient audit, a sampling of transactions is the number of items in a population of transactions (e.g., direct material) that an auditor reviews.

9.2 Recipient audit execution

The second step of a recipient audit is recipient audit execution. The recipient audit is conducted as per the planning memorandum with adjustments being made, if further issues become apparent during the recipient audit. Recipient audit programs are completed with sampled transactions reviewed (if reasonable or high assurance is required). Recipient audit work, including evidence related to any errors or observations, is documented in recipient audit files (e.g., working papers) at this stage to support the conclusion of the recipient audit.

9.3 Recipient audit reporting

The third step of a recipient audit is recipient audit reporting. After the execution of the recipient audit, the auditor prepares a recipient audit report. Some possible formats of the report are shown in Appendix F.

9.4 Recipient audit quality control

Recipient audit quality controls (RAQC) occur throughout all three steps above. RAQC are actions or procedures implemented by the recipient auditor to ensure that objectives of the engagement have been properly and adequately achieved. RAQC should be part of any recipient audit and should be in accordance with standards being used by the auditor.Footnote 18 RAQC procedures in a recipient audit may include the following:

  • Adequate recipient audit planning;
  • Adequate competencies of the recipient audit team as well as proper supervision, as required;
  • Review of engagement working papers for possible outstanding issues, adequacy of work and appropriateness of conclusions;
  • Ethical requirements regarding independence of auditor, integrity and conflict of interest; and
  • Possible review of engagement working papers by persons outside of the recipient audit team.

10. Recipient Audit Report Follow-Up and Dissemination

After the completion of the recipient audit report, recipient audit report follow-up and dissemination occur. As per the agreement for recipient audit services, the auditor provides the departmental manager with the recipient audit report. The departmental manager should review the recipient audit report and follow up on the results of the recipient audit in a timely fashion, based on the significance of findings in the recipient audit report. Any identified overpayments to the recipient should be established as debt due to the Crown and collected from the recipient. Reasonable unexpended balances of advance payments made under terms of a funding agreement and held by a recipient at the end of any fiscal year within the term of a multi-year funding agreement are not to be considered as repayable at that time.Footnote 19

Departmental managers may find it useful to analyze recipient audit reports for the same transfer payment program to look for trends, program deficiencies or efficiencies, and possible future program redesign issues.

The Policy on Transfer Payments and the Directive on Transfer Payments do not direct how recipient audit reports should be disseminated. Departmental managers may wish to distribute these reports to the departmental audit committee, internal audit and evaluation groups, the chief financial officer, and others. As appropriate, departments should consider developing a recipient audit follow-up protocol for handling recipient audit reports, including roles and responsibilities, requirements for communicating findings, and managing recipient audit findings. If available, the recipient audit follow-up protocol may be included in the departmental level risk-based plan. See Appendix D.

11. Fraud

Fraud is a criminal deception involving the use of false representation with the specific intent of gaining an unfair or dishonest advantage. Fraud ordinarily involves either wilful misrepresentation or deliberate concealment of material facts for the purpose of inducing another person to either part with cash or something else of value or to surrender a legal right.

A recipient audit is generally not designed to detect fraud. However, depending on the standards an auditor uses for the engagement, an auditor may have certain responsibilities to consider fraudFootnote 20 Should the auditor detect fraud or possible fraud in the audit engagement and inform the department, the departmental manager’s first step should be to contact departmental legal services to determine departmental protocol. As well, it is recommended that the chief financial officer’s staff be consulted regarding issues such as recoveries and receivables.

For additional details, please refer to the Directive on Public Money and Receivables

12. Enquiries

12.1 Members of the public may contact Treasury Board of Canada Secretariat Public Enquiries regarding any questions about this guideline.

12.2 Individuals from departments should contact their chief financial officer or departmental transfer payment centre of expertise regarding any questions about this guideline.

12.3 The chief financial officer or individuals from a departmental transfer payment centre of expertise may contact Financial Management Enquiries for interpretation of this guideline.


Appendix A: Departmental Internal Control for Transfer Payment Processes

Internal controls may complement recipient audits.

As per the Policy on Transfer Payments, section 4.2.3, the expected results of the Policy include that “Transfer payment programs are supported by cost-effective oversight and  control systems at both departmental and government-wide levels”. 

As indicated earlier in this document, recipient monitoring, which includes recipient audits, is part of this cost-effective oversight. As part of the oversight function and for internal control purposes, departments (at any level within the organization) may decide to assess any part of the transfer payment management process for some or all of its programs. This internal control provides the department with information on how well particular aspects of the transfer payment processes are functioning, depending on the criteria selected. For example, management may want to determine how well departmental managers are following payment terms in the funding agreements. This kind of assessment likely involves comparing selected payments to recipients to the relevant terms in the funding agreements. Another assessment can include visits to recipients to assess whether performance objectives, as defined in the funding agreements, are being achieved.

The sample used for this internal control can be selected using various approaches, including a stratified sample where high-value or high-risk funding agreements are reviewed as well as a random selection from the balance of the funding agreements.

An internal audit group may audit this internal control as part of its control work (e.g., test that the control is working well).

Appendix B: Relevant Blue Ribbon Panel Recommendations

In June 2006, the then President of the Treasury Board, John Baird, commissioned an independent Blue Ribbon panel “to recommend measures to make the delivery of grants and contribution programs more efficient while ensuring greater accountability.” The report of the Independent Blue Ribbon Panel on Grant and Contribution Programs, From Red Tape to Clear Results, dated December 2006, contained 32 recommendations. The recommendations related to recipient audits are as follows:

Recommendation 6

To achieve a “single view of the client” the Treasury Board of Canada Secretariat and concerned departments should improve horizontal coordination of program administration within and across departments.

Recommendation 7

The Treasury Board and its Secretariat should, to the extent practicable, and in cooperation with other orders of government, seek to harmonize federal, provincial and municipal information, reporting and audit requirements for grants and contributions.

Recommendation 17

The Treasury Board of Canada Secretariat should develop a risk management approach for grants and contributions that tailors the nature of the oversight and reporting requirements to the capacities and circumstances of recipients, and complements their existing reporting processes. The panel believes these conditions should include, but not necessarily be limited to, the following:

  • the amount of money involved;
  • the complexity of the uses to which the money is to be put (e.g., conditionality);
  • the established management credibility and track record of the recipient;
  • the sensitivity of the project/program; and
  • the size and capacities of the recipient organization.

Recommendation 19

The Treasury Board of Canada Secretariat and departments should encourage and facilitate cross-departmental, consolidated audit planning for recipients engaged in projects funded from multiple programs. This is especially important in the case of intergovernmental contribution agreements.

Recommendation 21

Recipients should be subject to audit by the federal government no more than once a year, regardless of the number of funding agreements in place. (Exceptions would apply where a need was identified for follow-up action, e.g., forensic audits.)

Recommendation 22

The Treasury Board should encourage departments to perform a regular series of random audits, based on the annual financial cycle of the recipient organization and a department-wide risk assessment of the organization.

Appendix C: Overview of Types of Audits

Type of Audit and Purpose Possible Beneficiaries Responsible to Initiate Output or Product Use of Product
Financial Statement Audit-To provide an opinion on entity financial statements.

Shareholders, members, donors,  public, government

Regulating bodies

Entity and audit committee

Management or audit committee of entity initiate due to external requirements for audited financial statements

Auditor’s report

  • Criteria
  • Responsibilities
  • Statement of assurance and methodology for audit
  • Opinion
Decision making by beneficiaries
Recipient Audit-Independent assessment to provide assurance on a recipient’s compliance with a funding agreement.

Departmental manager

Recipient

Departmental internal audit and audit committee

Departmental manager To be determined by departmental manager per section 6.5.4 of the Directive on Transfer Payments. See section 5.5 of this guideline. Program management and recipient monitoring by departmental manager
Internal Audit-To provide assurance on departmental risk management, control, and governance processes

Department and deputy head

Departmental audit committee

Public

Internal audit group per deputy head approved departmental internal audit plan

Internal audit report:

  • Criteria
  • Statement of assurance
  • Management action plan
Improvements in departmental risk management, control and governance processes in response to audit
Auditor General Inquiry-Pursuant to amendments resulting from the Federal Accountability Act, Section 7.1 (1) of the Auditor General Act provides for the Auditor General to undertake a recipient inquiry. “Recipient” is defined in Section 42.(4) of the Financial Administration Act, including receiving a total of $1 million or more within any five fiscal years.

Parliament

Minister, department

Public

Auditor General of Canada Reports of the Auditor General Decision making by Parliament

Appendix D: Risk-Based Plans for Recipient Audits-Program and Departmental Levels (Illustrative Only)

Risk-based plans for recipient audits at both the program level and departmental level may contain the following elements:

Program level risk-based plan

  • Name of program;
  • Description of risk assessment or management process used to select recipients for audit (e.g., department-driven versus departmental manager-driven);
  • If selected by department-driven risk assessment or management process:
    • Recipients selected for audit with identification of any single or combined audits;
    • Recipients selected for audit that will not be audited, with rationale provided for departmental manager override; and
    • Recipient not selected for audit that will be audited, with rationale provided for departmental manager override and identification of any single or combined audits.
  • If selected by departmental manager-driven risk assessment or management process, recipients selected for audit with rationale.

Departmental level risk-based plan (if desired)

  • Description of risk assessment or management process used to select recipients for audit (e.g., departmental-driven versus departmental manager-driven).
  • By program name:
    • If selected by departmental-driven risk assessment or management process:
      • Recipients selected for audit with identification of any single or combined audits;
      • Recipients selected for audit that will not be audited, with rationale provided for departmental manager override; and
      • Recipient not selected for audit that will be audited, with rationale provided for departmental manager override and identification of any single or combined audits.
    • If selected by departmental manager-driven risk assessment or management process, recipients selected for audit with rationale.
  • If available, recipient audit follow-up protocol. (See section 10 of this document for further discussion.)

Appendix E: Guidance on Audit Clauses in Agreements Between Federal and Provincial Governments

The Directive on Transfer Payments gives departments considerable discretion on what is included in funding agreements with provinces and territories. Appendix I of the directive sets out minimum elements that are to be addressed in a funding agreement. This does not include provisions related to the minister’s right to conduct a recipient audit. Whether or not to include such a provision is for the department to decide based on the circumstances. Section 6.7 of the directive provides some criteria to be considered in making this decision.

Excerpt from the Directive on Transfer Payments - Appendix I: Transfer Payments to Other Orders of Government [Part 2 only]

Where terms and conditions are required for a transfer payment program that permits payments to other orders of government:

Part 2: Departmental managers responsible for preparing funding agreements are to ensure that, as a minimum, the following elements are addressed in funding agreements with other orders of government.

  1. Identification of the parties.
  2. The effective date and the duration of the funding agreement.
  3. A description of the purpose of the transfer payments, eligible expenditures where relevant, any applicable leveraging or cost sharing, and the expected results.
  4. A description of performance reporting and accountability measures. [Emphasis added]
  5. The maximum amount payable to the recipient and the timing and frequency of payments.
  6. A provision that specifies that reports on evaluations, audits and other reviews related to the funding agreement may be made available to the public. [Emphasis added]
  7. A provision that provides for timely reporting of expenditures incurred by the recipient when the agreement involves reimbursement of eligible expenditures by the Government of Canada so that Canada’s obligations can be recorded and charges made to appropriations in the appropriate fiscal year, regardless of the timing of reimbursement payments.
  8. Any other elements of Appendices F [“Funding Agreement Provisions for Grants”] or G [“Funding Agreement Provisions for Contributions”] that are appropriate in the circumstances. [Emphasis added]

Excerpts from the Directive on Transfer Payments

6. Departmental managers who have been assigned responsibilities for the management of transfer payment programs and transfer payments are responsible for:

6.7 Transfer payments to other orders of government

6.7.1 Ensuring that arrangements for transfer payments to other orders of government are based on:

  • respect for the jurisdiction and responsibilities of each order of government; and
  • respect for the accountability mechanisms of each order of government to citizens. [Emphasis added]

6.7.2 Consulting with the Intergovernmental Affairs Secretariat of the Privy Council Office and the Department of Finance Canada on strategic matters while developing terms and conditions or other accountability mechanisms relating to proposed transfers to other orders of government.

6.7.3 Ensuring that, where Treasury Board approved terms and conditions are not required to support transfer payments to other orders of government, appropriate accountability mechanisms are in place. These are to:

  • identify the intended purposes, the expected outcomes, whether leveraging or cost sharing applies, and the responsibilities of the parties involved;
  • take into account and, to the greatest extent possible, rely on the accountability regimes of these governments, including audit, evaluation and direct reporting to citizens; [Emphasis added]
  • identify the monitoring and reporting for the transfer payment within the recipient government;
  • where direct reporting to the federal government is required, provide for specific audit assurance from the recipient government only where necessary; and
  • enable appropriate and timely monitoring and reporting by the federal department on the use of the funds provided and the results achieved. [Emphasis added]

6.7.4 Ensuring that accountability mechanisms are appropriately limited when transfer payments to other levels of government are to be unconditional.[Emphasis added]

6.7.5 Ensuring that, where Treasury Board-approved terms and conditions are required for a transfer payment program that permits payments to other orders of government, the terms and conditions address the elements identified in Appendix I: Transfer Payments to Other Orders of Government. Where such a program also provides for transfer payments to other categories of recipients, Appendices D, E or both are to be followed in relation to these other categories of recipients.

6.7.6 Ensuring that funding agreements with other orders of government provide a sufficient commitment or obligation to ensure funds are used for the intended purpose, the achievement of objectives, and the degree of enforceability deemed appropriate. The elements identified in Appendix I: Transfer Payments to Other Orders of Government are to be addressed when determining the provisions of funding agreements with other orders of government. [Emphasis added]

6.7.7 Determining the extent to which the requirements of sections 6.2, 6.4 and 6.5 of this directive can be applied in managing transfer payments to other orders of government. If any of the requirements of these sections are not deemed to be appropriate, it is not necessary to seek an exception by the President in compliance with section 3.6 of this directive. [Emphasis added]

Appendix F: Recipient Audit Reports by Assurance Levels (Illustrative Only)

Audit Report (High or Reasonable Assurance)

After the execution of the audit, the auditor prepares an audit report. Generally, a standard audit report consists of three paragraphs as follows:

  • Introduction paragraph -This paragraph states the financial information being audited; the audit criteria or what the financial information or compliance is being evaluated against (e.g., funding agreement); and the responsibilities of both the recipient being audited (financial information or compliance) and the auditor (to express an opinion).
  • Scope paragraph-This paragraph states that the audit has been conducted in accordance with Canadian generally accepted auditing standards to obtain reasonable assurance that the financial information is free of material misstatement or reasonable assurance of compliance and what is included in the audit.
  • Opinion paragraph-This paragraph states the opinion of the auditor on whether the financial information or compliance audited is in accordance with [insert relevant audit criteria here] in all material respects.

The audit report also includes the addressee, the name of the auditor, the date of the report and the place of issue. A reservation paragraph is placed between the scope and opinion paragraphs if the auditor has significant concerns about the subject matter audited, including insufficient appropriate evidence.

Along with the audit report, and as per the agreement for recipient audit services, the auditor may also provide the following:

  • Schedule(s) to support the report, as required;
  • Supplementary notes and/or general observations; and/or
  • Recipient’s response.

The auditor or departmental manager may discuss recipient audit findings with the recipient and obtain the recipient’s clarifications and/or concurrence.

Review Engagement Report (Moderate Assurance)

Generally, a review engagement report consists of the following:

  • Scope paragraph-The paragraph states subject matter being reported on and that the review has been conducted in accordance with Canadian generally accepted standards for review engagements and consisted primarily of enquiry, analytical procedures and discussion related to information provided by the recipient.
  • Disclaimer paragraph-This paragraph states that a review does not constitute an audit, and, consequently, an audit opinion is not expressed.
  • Negative assurance paragraph-This paragraph states that based on the review of [financial or non-financial information] nothing has come to the auditor’s attention that causes him or her to believe that the information is not, in all material respects, in accordance with the [insert relevant criteria here].

The review engagement report also includes the addressee, the name of the auditor, the date of the report and the place of issue.

Along with the review engagement report, and as per the agreement for recipient audit services, the auditor may also provide the following:

  • Schedule(s) to support the report, as required;
  • Supplementary Notes and/or general observations; and/or
  • Recipient’s response.

Specified Auditing Procedures (No Assurance)

The format of a report on the results of applying specified auditing procedures can be as follows:

  • Identify the financial and/or non-financial information to which auditing procedures were applied;
  • Specify procedures applied;
  • State only factual results of procedures applied with no expression of negative assurance;
  • State that an audit has not been performed and disclaim an opinion;
  • Distribution restrictions, if any; and
  • Disclose the addresses, the name of auditor, the date of report and the place of issue.

Along with the report, and as per the agreement for recipient audit services, the auditor may also provide the following:

  • Schedule(s) to support the report, as required; and/or
  • Recipient’s response.

Appendix G: Agreement Between the Department and the Auditor for Recipient Audit Services

This appendix lists suggested sections to be included in an agreement for recipient audit services with references to sections in this guideline, where relevant. This is not a comprehensive list. As with the development of any legal document, departments are encouraged to seek advice from departmental legal services.

Suggested Sections in Agreement for Recipient Audit Services Section in Recipient Audit Guideline, if Applicable
Objective of the recipient audit 5.2, 9.1
Recipient audit criteria: This describes what the financial/non-financial information being reviewed will be assessed against (e.g., recipients claims are in compliance with the terms and conditions of the funding agreement). 5.4
Scope of the recipient audit: The scope of the recipient audit is what will be subject to review. 5.4
Recipient audit methodology: Standards, level of assurance, etc.

Standards: 5.4

Level of Assurance: 5.2

Responsibilities of the auditor:

  • Conduct of the recipient audit (timing, expected hours, etc.);
  • Personnel conducting the recipient audit;
  • Communications with both the department and the recipient;
  • Specified auditing procedures (SAP), if applicable;
  • Deliverables, including nature of recipient audit report; and
  • Recipient Audit Quality Control (RAQC).

Conduct: Not covered

Personnel: Not covered

Communications: 8.1 and 8.2

SAP: 5.2 and Appendix F.

Nature of report: 5.5 and Appendix F

RAQC: 9.4

Responsibilities of the departmental manager and/or department:

  • Departmental contact person;
  • Communication with recipient including the responsibilities of the recipient; and
  • Communication with auditor.

Contact: Not covered

Communications with recipient: 8.1

Communication with auditor: 8.2

Use of specialists by the auditor 6.2
Confirmation of independence of auditor 6.1
Access to recipient audit working papers by department Not covered
Fees and billing Not covered
Dispute resolution Not covered
Language of work Not covered
Responsibilities of the recipient 8.1
Appendix: Recipient Audit Report Template 5.5 and Appendix F

© His Majesty the King in Right of Canada, represented by the President of the Treasury Board, 2017,
ISBN: 978-0-660-09768-8

Date modified: