RISK ASSESSMENT AND AUDIT STRATEGY
- Introduction to risk assessment
- Understanding the entity and its environment
- Assessing the risk of material misstatements
- Responding to risk assessment
- Fraud, law and regulations
- Documentation of risk assessment
- Audit planning
- Audit strategy
- Audit plan
- Audit program
- Audit documentation
By the end of this chapter students should be able to:
- Describe appropriate tasks and procedures to understand the client’s entity’s business and its environment before any ground work can be carried out.
- Explain the concepts of audit risk and materiality
- Describe the techniques used in risk assessment
- Explain the effect of fraud, law and regulations on risk assessment
- State the contents of risk assessment documentation
- Develop an audit strategy
- Explain contents of an audit plan
- Prepare an audit program including determination of the nature, extent and timing of specific audit tests and procedures.
- Describe different types of audit documentation
It is very important that as auditors are about to start audit work on their client (of course as part of their planning), they must get to know their client very well so as to know areas of audit risk. Auditors get to know their client through a process called risk assessment and this is the subject of this chapter as well as the techniques that the auditors use to get this done. The general concept of audit risk is introduced first where components such as
control risk, inherent risk and detection risk are covered. The distinction between audit risk and business risk is also made.
The chapter will also cover the concept of materiality for the financial statements as a whole. You may recall from your earlier studies that information is material if its omission or inclusion will affect the decision of a user on the basis of financial statements. Auditors use judgement to calculate materiality and it must be reviewed as the audit progresses and revised if necessary.
The last section of this chapter covers the contents of the overall audit strategy and the detailed audit plan as well as the audit program. Documentation of audit work, which provides the evidence of the work performed, will also be covered.
- Introduction to risk assessment
Risk is any event that prevents the achievement of a set objective. Risks are everywhere whether in business or audit; hence we have business risk and audit risk.
- Meaning of risk assessment
Risk assessment comprises all the procedures the auditor carries out to assess the risk of material misstatement in the client’s financial statements.
Auditors are required to carry out the audit with an attitude of professional scepticism, exercise professional judgement and comply with ethical requirements. When planning and carrying out these risk assessment procedures auditors must show pprofessional scepticism, professional judgement and fulfil ethical requirements.
1.1.1 Professional scepticism, professional judgement and ethical requirements Professional scepticism is an attitude that includes a questioning mind, being alert to conditions which may indicate possible misstatement due to error or fraud, and a critical assessment of audit evidence.
Professional judgement is the application of relevant training, knowledge and experience in making informed decisions about the courses of action that are appropriate in the circumstances of the audit engagement.
ISA 200 Overall objectives of the independent auditor and the conduct of an audit in accordance with International Standards on Auditing states that auditors must plan and perform an audit with an attitude of professional scepticism recognising that circumstances may exist that cause the financial statements to be materially misstated.
This requires the auditor to be alert to:
- Audit evidence that contradicts other audit evidence obtained
- Information that brings into question the reliability of documents and responses to inquiries to be used as audit evidence
- Conditions that may indicate possible fraud
- Circumstances that suggest the need for audit procedures in addition to those required by ISAs
Professional scepticism needs to be maintained throughout the audit to reduce the risks of overlooking unusual transactions, over-generalising when drawing conclusions, and using inappropriate assumptions in determining the nature, timing and extent of audit procedures and evaluating the results of them.
Professional scepticism is also necessary to the critical assessment of audit evidence. This includes questioning contradictory audit evidence and the reliability of documents and responses from management and those charged with governance.
1.1.2 Professional judgement
ISA 200 also requires the auditor to exercise professional judgement in planning and performing an audit of financial statements.
Professional judgment is the process used to reach a well-reasoned conclusion that is based on relevant facts and circumstances available at the time of the conclusion. A fundamental part of the process is the involvement of individuals with sufficient knowledge and experience. It involves the identification without bias, of reasonable alternatives, and therefore careful and objective consideration of information that may seem contradictory to a conclusion is key to its application.
Professional judgement is required in the following areas:
- Materiality and audit risk
- Nature, timing and extent of audit procedures
- Evaluation of whether sufficient appropriate audit evidence has been obtained
- Evaluating management’s judgements in applying the applicable financial reporting framework
- Drawing conclusions based on the audit evidence obtained
1.1.3 Ethical requirements
ISA 200 states that the auditor must comply with the relevant ethical requirements, including those relating to independence, that are relevant to financial statement audit engagements.
- Overall audit risk
Auditors usually follow a risk-based approach to auditing as required by International Standards on Auditing (IASs). In this approach, auditors analyse the risks associated with the client’s business, transactions and systems which could lead to misstatements in the financial statements, and direct their testing to risky areas. This is in contrast to a procedural approach which is not in accordance with ISAs. In a procedural approach, the auditor would perform a set of standard tests regardless of the client and its business. The risk of the auditor providing an incorrect opinion on the truth and fairness of the financial statements might be higher if a procedural approach was adopted.
- Audit risk
Audit risk is the risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. It is a function of the risk of material misstatement (inherent risk and control risk) and the risk that the auditor will not detect such misstatement (detection risk).
Audit risk may bring damage to the audit as a result of giving a wrong audit opinion. A wrong audit opinion means, for example, saying that the accounts show a true and fair view when in fact they do not.
Damage to the audit firm may be in the form of:
- Monetary damage paid to the client
- Monetary damage paid to a third party for loss caused by auditor’s negligence.
- Loss of reputation with the client.
- Loss of the audit or the business community.
Audit risk has two elements, the risk that the financial statements contain a material misstatement and the risk that the auditors will fail to detect any material misstatements.
Audit risk has two major components. One is dependent on the entity, and is the risk of material misstatement arising in the financial statements (inherent risk and control risk).
The other is dependent on the auditor, and is the risk that the auditor will not detect material misstatements in the financial statements (detection risk). Audit risk can be represented by the audit risk model:
Audit risk = Inherent risk x control risk x detection risk
1.3.1 Inherent risk
Inherent risk is the susceptibility of an assertion to a misstatement that could be material individually or when aggregated with other misstatements, assuming there were no related internal controls.
Inherent risk is the risk that items will be misstated due to the characteristics of those items, such as the fact they are estimates or that they are important items in the accounts. The auditors must use their professional judgement and all available knowledge to assess inherent risk. If no such information or knowledge is available then the inherent risk is high.
Inherent risk is affected by the nature of the entity; for example, the industry it is in and the regulations it falls under, and also the nature of the strategies it adopts.
Factors that affect inherent risk
The relevant factors are considered based on two headings.
(I) Factors affecting client as a whole
- Integrity and attitude to risk of directors and management – domination by a single individual can cause problems.
- Management experience and knowledge. This may be changes in management and quality of financial management.
- Unusual pressures on management, e.g. tight reporting deadlines or market or financing expectations.
- Nature of business. Potential problems include technological obsolescence or over-dependence on a single product.
- Industry factors. Competitive conditions, regulatory requirements technology developments, changes in customer demand.
- Future plans of the client. This includes sale or floatation on stock exchange.
- High gearing. A client that has a large proportion of prior charge capital has high inherent risk.
- Liquidity problems. Cash-flow problems increase inherent risk.
- Information technology. Problems include lack of supporting documentation, concentration of expertise in a few people, potential for unauthorised access.
- The existence of put upon enquiry situation or audit query. There are certain situation when the auditor discovers evidence that either fraud or error occurred in the accounts.
(II) Factors affecting individual account balances or transactions
- Financial statement accounts prone to misstatement. Accounts which require adjustment in previous period or require high degree of estimation.
- Complex accounts. Accounts which require expert valuations or are subject of current professional discussion.
- Assets at risk of being lost or stolen like cash, inventory, and portable non-current assets.
- Quality of accounting systems. Strength or weaknesses of individual departments like sales, purchases, cash etc can increase or decrease the inherent risk.
- High volume transactions. This may make the accounting system fail to cope.
- Unusual transactions. Transaction for large amounts with unusual names not settled promptly (particularly important if they occur at period end). There are also transactions that do not go through the system that relate to specific clients or processed by certain individuals.
- Staff changes or areas of low morale.
- Some aggressive or unsuitably risky business practices pursued by management.
1.3.2 Control risk
Control risk is the risk that a misstatement could occur in an account balance or class of transactions, which could be material either individually or when aggregated with misstatement in other balances or classes and would not be prevented or detected and corrected on a timely basis by the accounting and internal control systems. Alternatively it is defined as risk that internal controls will not prevent or detect material errors.
The auditor should assess control risk at the planning stage of the audit if the auditors intend to rely on their assessment to reduce the extent to their substantive procedures. This assessment should be subsequently supported by tests of control.
Factors affecting control risk
The following are the factors that affect control risk.
- The quality and effectiveness of management and the degree of supervision exercised by management.
- The existence and quality of internal control.
- The competence of accounting staff.
- The nature of accounting records kept.
- The existence and effectives of the internal audit department, if there is one.
1.3.3 Detection risk
Detection risk is the risk that the auditors’ substantive procedures do not detect a misstatement that exists in an account balance or class of transactions that could be material either individually or when aggregated with misstatements in other balances or classes. Alternatively it is the risk that auditors’ substantive procedures and his review of the financial statements will not detect material errors.
Detection risk relates to the inability of the auditors to examine all evidence. Additional to this is the fact that audit evidence is usually persuasive rather than conclusive so that some detection risk is usually present allowing the auditors to seek reasonable confidence.
Examples of areas of detection risk include:
- Failure to recognise ‘put upon enquiry’ situations.
- Failure to draw the correct inferences from audit evidence and the analytical review.
- Use of wrong procedures in a particular situation.
- Failure to perform necessary audit work because of time or cost considerations.
- Failure to detect error or fraud because of poor sampling method or inadequate sample sizes.
Assessment of inherent risk, control risk and audit work
The auditor’s inherent risk and control risk assessments influence the nature, timing and extent of substantive procedures required to reduce detection risk and thereby audit risk.
Auditors need to be careful when relying on control risk assessment as good controls may impact upon some but not other aspects of audit areas. For example, good controls over the recording of sales and trade debtors (receivables) would not reduce audit testing on bad debts, as the amounts recorded may represent amounts that will not be collected.
In order to design an efficient audit methodology auditor should consider extent of testing, design of testing and timing of tests.
On extent of testing, if inherent and control risks are low, number of items to be tested is reduced. On design of testing, tests may be changed by placing more reliance on analytical procedures. Carrying out certain procedures at a certain time and placing reliance upon controls functioning at year end, affects the timing of tests.
Audit firm organisation and audit risk
It is essential that an audit firm should organize its affairs in such a way as to minimize the risk of paying damages to clients or third parties.
Features of audit firm which may minimize risk
- Proper recruitment and training of all personnel.
- Allocation of staff with appropriate ability to particular audits.
- Planning of the work of the firm in such a way that each audit can be approached in a relaxed but disciplined way and timing problems can be accommodated.
- Two way communication with staff on matters of general concern and in connection with specific audits.
- Use of audit manuals which conform to the audit standards and guidelines.
- Use of audit documentation which is comprehensive and yet which allows for special situations.
- Use of budgeting and other techniques to ensure that audits are remunerative and yet risk-minimising.
- Use of precise and frequently updated letters of engagement.
- Use of review techniques for all audits.
- Existence of a technical section so that all new developments are rapidly incorporated into the audit firm’s action.
Minimising risks that may rise from particular audit
The audit firm may minimize risks associated with specific audits in the following ways.
- Use of techniques for recognising the existence of audit risk.
- Segregating normal risk areas from high risk areas.
- Allocating audit staff that are competent to do the work especially in high risk areas.
- Extensive background research into the client and its industry.
- Careful planning with emphasis on high risk areas.
- Comprehensive documentation.
- Good briefing of audit staff.
- Particular attention to the conclusions reached from audit evidence.
- Special emphasis on the analytical review.
1.4 Management of audit risk
ISA 200 states that ‘to obtain reasonable assurance, the auditor shall obtain sufficient appropriate audit evidence to reduce audit risk to an acceptably low level and thereby enable the auditor to draw reasonable conclusions on which to base the auditor’s opinion.’
Auditors will want their overall audit risk to be at an acceptable level, or it will not be worth them carrying out the audit. In other words, if the chance of them giving an inappropriate opinion and being sued is high, it might be better not to do the audit at all.
The auditors will obviously consider how risky a new audit client is during the acceptance process, and may decide not to go ahead with the relationship. However, they will also consider audit risk for each individual audit, and will seek to manage the risk.
As we have seen above, it is not in the auditors’ power to affect inherent or control risk. These are risks integral to the client, and the auditor cannot change the level of these risks.
The auditors therefore manage overall audit risk by manipulating detection risk, the only element of audit risk they have control over. This is because the more audit work the auditors carry out, the lower detection risk becomes, although it can never be entirely eliminated due to the inherent limitations of audit.
The auditors will decide what level of overall risk is acceptable, and then determine a level of audit work so that detection risk is as low as possible.
It is important to understand that there is not a standard level of audit risk which is generally considered by auditors to be acceptable. This is a matter of audit judgement, and so will vary from firm to firm and audit to audit. Audit firms are likely to charge higher fees for higher risk clients. Regardless of the risk level of the audit, however, it is vital that audit firms always carry out an audit of sufficient quality.
Auditors will want their overall audit risk to be at an acceptable level or it will not be worth them carrying out the audit.
The auditors will consider how risky a new audit client is during the acceptance process and may decide not to go ahead with the relationship.
The auditors will also consider audit risk for each individual audit and will seek to manage that risk. It is not in the auditors’ power to affect inherent or control risk.
The auditor, therefore, manages overall audit risk by manipulating detection risk. This is because the more audit work the auditors carry out, the lower detection risk becomes although it can never be entirely eliminated due to the inherent limitations of audit.
This audit risk management can be shown crudely in a mathematical equation. The auditor will decide what level of overall risk is acceptable and then determine a level of audit so that detection risk makes the equation work.
In example 2, as control risk is low the auditors are likely to carry out tests of control and seek to rely on the client’s system. However, this does not mean substantive tests can be eliminated entirely. Detection risk in this case would be affected by the amount of controls and substantive testing carried.
1.5 Identifying and assessing the risks
The auditor should identify and assess the risks of material misstatement at the financial statement level, and at the assertion level for classes of transactions, account balances and disclosures’. He/she should take the following steps:
Step 1: Identify risks throughout the process of obtaining an understanding of the entity.
Step 2: Relate the risks to what can go wrong at the assertion level.
Step 3: Consider whether the risks are of a magnitude that could result in a material misstatement.
Step 4: Consider the likelihood of the risks causing a material misstatement.
1.6 Business risk
Business risk is defined as the threat that an event or action will adversely affect a business ability to achieve the ongoing objectives. The threat can be internal or external.
The idea is that business face risks and an understanding of these risks gives the auditor a thorough understanding of the clients business and also suggests where misstatement may occur in the financial statements.
1.6.1 External business risks
External risks are those threats arising from outside the company and include the following.
• Changing legislation.
• Changing interest rates.
• Public opinion, attitudes, fashions.
• Price wars initiated by competition.
• Import competition.
• Untried technologies and ideas.
• Natural hazards.
• Bad debts.
• Environmental factors.
1.6.2 Internal business risks
Internal risks are risks arising from inside the company and can include the following.
• Failure to modernize products, processes, labour relations, and marketing etc.
• The process of dealing with suppliers or customers.
• Excessive reliance on a dominant chief executive.
• Cash-flow including overtrading.
• Inappropriate acquisitions.
• Excessive reliance on one of few products, customers, suppliers.
• Weak internal controls.
• Lack of research and development.
• Computer system failure.
1.7 Business risk approach
Business risk approach in auditing is an approach that focuses upon how an organisation responds to the risks it faces in achieving its goals and objectives; it aims to provide assurance on the management of the identified risks within the context of the entity’s corporate plans and aims.
In the business risk approach the direction of the audit is from the risks to the financial statements. The scope of an audit planning should be driven by relative business risk. In other words, audit resources should generally be applied to the areas of greatest business risk. It is a high level approach. This concept implies a continuing relationship with the client rather than a one off each year separate view.
It must be noted that auditors need more understanding of business and to that end large audit firms set up databases of information about the economy and the business world.
The ideas of inherent risk and control risk can be called residual risk which has to be minimized by audit action; the audit action carries with it detection risk. Residual risk is the level of risk remaining after the relevant controls have been applied by management to the gross (or ‘absolute’) risk. Residual risk represents the actual level of exposure that the entity faces. Since it leads to better understanding of the client’s business, it is possible to use analytical review more frequently as a verification of assertions procedure.
The business risk approach is an aid to the client acceptance and continuation procedures. This makes the audit to be tailor-made and a generalized approach to audits is neither productive nor economical.
Going concern considerations are a natural product of a business risk investigation and separate consideration of going concern may be necessary.
1.7.1 Importance of business risk approach
There are a number of reasons why a business risk approach is used.
(a) Research showed that processing errors rarely cause audit problems.
(b) Major audit problems arise out of issues such as going concern, major fraud by top management, large scale systems breakdown, failure to modernize products and lack of response to market forces.
(c) This approach helps the auditor to have a profound knowledge of the business.
(d) This approach helps the auditor to focus the audit on the high risk areas.
(e) The approach adds value to the audit and enables the auditor to offer some commercial benefits to the audit.
(f) Helps auditors to be aware of changes happening in the industry of the client.
(g) This helps to make audit economical as emphasis on transaction-based audit is expensive.
(h) Business risk approach show the fact that companies are much more at risk of failure than before due to the pace of change in business and computing and communication.
(i) This helps audit firms to become innovative so as to attract clients.
(j) The business risk review may show up areas where the audit firm can suggest that its highly paid services can be offered to the client.
(k) This facilitates audit firms to show product differentiation to potential clients.
(l) The business, environmental, corporate governance issues and the nature of management control are all now more significant for businesses.
(m) This approach tends to involve audit partners and senior managers much more in the planning stages of the audit.
1.7.2 Disadvantages of the business risk approach
This approach has the following disadvantages.
(a) More highly qualified and competent employees are required and that this negates some of the efficiency gains.
(b) The added value idea does tend to oppose the notion of independence which is very important currently.
1.8 Implications of the business risk for the auditor
The auditor needs to plan the audit and have understanding of the business.
The effect on planning may include the following.
• A consideration of the control environment.
• A consideration of risk management by management.
• Adequacy of accounting system in terms of Companies Act and nature of business.
• Consideration of going concern status of the company.
• Effect of risks on cash flow.
• Risk of fraud.
• Existence of related parties with different agendas.
• Threat of management misstating financial statements.
• Risk of withdrawal of support by loan or trade creditors.
1.9 Business risk and audit risk
Audit risk is divided into inherent risk, control risk and detection risk, and in a sense business risk encompasses inherent risk and control risk.
The first argument for this is that the business faces numerous external and internal risks. The other is that the auditor faces the risk of giving an inappropriate audit opinion on the financial statements.
The third point is that the effect of business risks is that the financial statements may contain misstatements. The audit risk arises out of the possibility of undetected misstatements in the financial statements.
There is also a fact that a major risk facing most companies is the failure of internal controls to prevent or detect material errors or fraud leading to misstatements in the financial statements. Finally a major risk to auditors is their tests may fail to detect errors and fraud which lead to misstatements in the financial statements.
Materiality is the expression of the relative importance of a particular matter in the context of the financial statements as a whole. Information is generally considered to be material if its omission or misstatement could influence the economic decisions of users taken on the basis of the financial statements. Materiality should be considered by the auditor when determining the nature, timing and extent of audit procedures and when evaluating the effects of misstatements.
2.1 Determining materiality and performance materiality when planning the audit
Performance materiality is the amount or amounts set by the auditor at less than materiality for the financial statements as a whole to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the financial statements as a whole.
Performance materiality also refers to the amount or amounts set by the auditor at less than the materiality level or levels for particular classes of transactions, account balances or disclosures.
During planning, the auditor must establish materiality for the financial statements as a whole. However, if there are classes of transactions, account balances or disclosures for which misstatements less than materiality for the financial statements as a whole could reasonably be expected to influence the economic decisions of users taken on the basis of the financial statements, the auditor must also determine materiality levels to be applied to these.
The auditor must also determine performance materiality in order to assess the risks of material misstatement and to determine the nature, timing and extent of further audit procedures.
Determining materiality for the financial statements as a whole involves the exercise of professional judgement (which we covered in section 1 of this chapter). Generally, a percentage is applied to a chosen benchmark as a starting point for determining materiality for the financial statements as a whole. The following factors may affect the identification of an appropriate benchmark:
• Elements of the financial statements (e.g. assets, liabilities, equity, revenue, expenses)
• Whether there are items on which users tend to focus
• Nature of the entity, industry and economic environment
• Entity’s ownership structure and financing
• Relative volatility of the benchmark
The following benchmarks and percentages may be appropriate in the calculation of materiality for the financial statements as a whole.
Profit before tax 5
Gross profit ½ – 1 Revenue ½ – 1
Total assets 1 – 2
Net assets 2 – 5
Profit after tax 5 – 10
The determination of performance materiality involves the exercise of professional judgement and is affected by the auditor’s understanding of the entity and the nature and extent of misstatements identified in prior audits.
2.2 Revision of materiality
The level of materiality must be revised for the financial statements as a whole if the auditor becomes aware of information during the audit that would have caused the auditor to have determined a different amount during planning.
If the auditor concludes that a lower amount of materiality for the financial statements as a whole is appropriate, the auditor must determine whether performance materiality also needs to be revised, and whether the nature, timing and extent of further audit procedures are still appropriate. A revision to materiality might be required for example if during the audit it appears that actual results are going to be significantly different from the expected results, which were used to calculate materiality for the financial statements as a whole during planning.
• Assessment of critical points, for example, turning small profit into a loss is material.
2.4 Audit risk and materiality
Auditors should consider materiality and its relationship with audit risk. The following are key issues:
• Materiality is a matter of professional judgement and it has both quantity and quality dimensions.
• Auditors should take materiality into account when considering the nature, timing and extent of audit procedures.
• Materiality should be taken into account at the planning stage and reconsidered if the outcome of tests, enquiries or examinations differs from expectation.
• In evaluating whether the financial statements give a true and fair view auditors should assess the materiality of aggregate of uncorrected statements.
2.5 How materiality affects the audit work
(a) Materiality affects the nature and size of audit tests. The auditor needs to design audit procedures to verify only those items which could be materially wrong.
(b) When deciding whether to seek adjustment for errors found, the auditor is concerned that adjustments are made only of material errors.
2.6 Approaches to assignment of Materiality
There are two approaches that can be used.
• Bottom – up approach. This is judging materiality amounts in each account separately, and then combining them to determine the overall effect.
• Top-down approach. This is judging an overall material amount for the financial statements and then allocating it to particular accounts.
2.7 Planning Materiality
The concept of materiality is used by auditors as a guide to planning the audit program, to evaluation of the evidence, and for making decisions about the audit report.
2.8 Documentation of materiality
ISA 320 requires the following to be documented:
• Materiality for the financial statements as a whole
• Materiality level or levels for particular classes of transactions, account balances or disclosures if applicable
• Performance materiality
• Any revision of the above as the audit progresses
3 Understanding the entity and its environment
3.1 Why auditors need an understanding
ISA 315 Identifying and assessing the risks of material misstatement through understanding the entity and its environment states that the objective of the auditor is to identify and assess the risks of material misstatement, whether due to fraud or error, through understanding the entity and its environment, including the entity’s internal control, thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement.
A summary is given below.
• To identify and assess the risks of material misstatement in the financial statements
• To enable the auditor to design and perform further audit procedures
• To provide a frame of reference for exercising audit judgement, for example, when setting audit materiality
• Industry, regulatory and other external factors, including the applicable financial reporting framework
• Nature of the entity, including operations, ownership and governance, investments, structure and financing
• Entity’s selection and application of accounting policies
• Objectives and strategies and related business risks that might cause material misstatement in the financial statements
• Measurement and review of the entity’s financial performance
• Internal control
• Inquiries of management and others within the entity
• Analytical procedures
• Observation and inspection
• Prior period knowledge
• Client acceptance or continuance process
• Discussion by the audit team of the susceptibility of the financial statements to material misstatement
• Information from other engagements undertaken for the entity
3.3 How do auditors gain an understanding?
ISA 315 sets out the methods that the auditor shall use to obtain the understanding and combination of these procedures should be used.
• Inquiries of management and others within the entity
• Analytical procedures
• Observation and inspection
ISA 315 also states the auditor shall consider whether information obtained from client acceptance or continuance processes is relevant.
If the engagement partner has performed other engagements for the entity, he/she shall consider whether information from these is relevant to identifying risks of material misstatement.
ISA 315 states that if the auditor is going to use information from prior year audits, the auditor shall determine whether changes have occurred that could affect the relevance to the current year’s audit.
ISA 315 also requires the engagement partner and other key team members to discuss the susceptibility of the financial statements to material misstatement, and the application of the applicable financial reporting framework to the entity’s facts and circumstances. The engagement partner shall determine what matters are to be communicated to team members not involved in the discussion.
The auditors will usually obtain most of the information they require from staff in the accounts department, but may also need to make enquiries of other personnel, for example, internal audit, production staff or those charged with governance.
Those charged with governance may give insight into the environment in which the financial statements are prepared. In-house legal counsel may help with understanding matters such as outstanding litigation, or compliance with laws and regulations. Sales and marketing personnel may give information about marketing strategies and sales trends.
3.3.2 Analytical procedures
Analytical procedures consist of the evaluations of financial information made by a study of plausible relationships among both financial and non-financial data. They also encompass the investigation of identified fluctuations and relationships that are consistent with other relevant information or deviate significantly from predicted amounts.
Analytical procedures can be used at all stages of the audit. ISA 315 requires their use during the risk assessment stage of the audit.
Analytical procedures include:
(a) The consideration of comparisons with: • Similar information for prior periods
• Anticipated results of the entity, from budgets or forecasts
• Predictions prepared by the auditors
• Industry information
(b) Those between elements of financial information that are expected to conform to a predicted pattern based on the entity’s experience, such as the relationship of gross profit to sales.
(c) Those between financial information and relevant non-financial information, such as the relationship of payroll costs to number of employees.
A variety of methods can be used to perform the procedures discussed above, ranging from simple comparisons to complex analysis using statistics, on a company level, branch level or individual account level. The choice of procedures is a matter for the auditors’ professional judgement. The use of information technology may be extensive when carrying out analytical procedures during risk assessment.
Auditors may also use specific industry information or general knowledge of current industry conditions to assess the client’s performance.
As well as helping to determine the nature, timing and extent of other audit procedures, such analytical procedures may also indicate aspects of the business of which the auditors were previously unaware. Auditors are looking to see if developments in the client’s business have had the expected effects. They will be particularly interested in changes in audit areas where problems have occurred in the past.
Analytical procedures at the risk assessment stage of the audit are usually based on interim financial information, budgets or management accounts.
3.3.3 Observation and inspection
These techniques are likely to confirm the answers made to inquiries made of management. They will include observing the normal operations of a company, reading documents or manuals relating to the client’s operations or visiting premises and meeting staff.
3.3.4 Companies that use e-business
IAPS 1013 Electronic commerce – effect on the audit of financial statements provides guidance to auditors auditing entities that engage in e-commerce. The IAPS identifies specific matters to assist the auditor when considering the significance of e-commerce to the entity’s business and the effect on the auditor’s risk assessment.
The auditor needs to consider whether the skills and knowledge of team members are appropriate to perform the audit, and also whether an expert is required.
The auditor also needs to have a good understanding of the business to assess the significance of ecommerce and its effect on audit risk. The auditor should consider the following:
• The entity’s business activities and industry
• The entity’s e-commerce strategy
• The extent of e-commerce activities
• Outsourcing arrangements
The IAPS identifies specific business risks affecting entities that engage in e-commerce, which are outlined below.
• Loss of transaction integrity
• Security risks
• Improper accounting policies (e.g. capitalisation of expenditure, translation of foreign currency, allowances for warranties and returns, revenue recognition)
• Non-compliance with taxation and other laws and regulations
• Failure to ensure that contracts are binding
• Over-reliance on e-commerce
• Systems and infrastructure failures or crashes
The auditor uses the knowledge of the business gained to identify events, transactions and practices related to business risks arising from e-commerce activities that may result in material misstatements in the financial statements.
The auditor also considers the control environment and control procedures that are relevant to the financial statement assertions, in accordance with ISA 315, in particular those relating to security, transaction integrity and process alignment.
4 Assessing the risks of material misstatement
4.1 Identifying and assessing the risks of material misstatement
ISA 315 says that the auditor shall identify and assess the risks of material misstatement at the financial statement level and at the assertion level for classes of transactions, account balances and disclosures.
It requires the auditor to take the following steps:
• Identify risks throughout the process of obtaining an understanding of the entity and its environment
• Assess the identified risks, and evaluate whether they relate more pervasively to the financial statements as a whole
• Relate the risks to what can go wrong at the assertion level
• Consider the likelihood of the risks causing a material misstatement
Assertions are representations by management, explicit or otherwise, that are embodied in the financial statements, as used by the auditors to consider the different types of potential misstatements that may occur.
4.2 Significant risks
Significant risks are those that require special audit consideration. It is important that the auditor determine whether any of the risks are significant risks.
The following factors indicate that a risk might be significant:
• Risk of fraud
• Its relationship with recent economic, accounting or other developments
• The degree of subjectivity in the financial information
• It is an unusual transaction
• It is a significant transaction with a related party
• The complexity of the transaction
Routine, non-complex transactions are less likely to give rise to significant risk than unusual transactions or matters of management judgement. This is because unusual transactions are likely to have more:
• Management intervention
• Complex accounting principles or calculations
• Manual intervention
• Opportunity for control procedures not to be followed
When the auditor identifies a significant risk, if he has not done so already, he shall obtain an understanding of the entity’s controls relevant to that risk.
5 Responding to the risk assessment
The main objective of ISA 330 The auditor’s responses to assessed risks is to obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatement, through designing and implementing appropriate responses to those risks.
5.1 Overall responses
Overall responses include issues such as emphasising to the team the importance of professional scepticism, allocating more staff, using experts or providing more supervision.
Overall responses to address the risks of material misstatement at the financial statement level will be changes to the general audit strategy or re-affirmations to staff of the general audit strategy. For example:
• Emphasising to audit staff the need to maintain professional scepticism
• Assigning additional or more experienced staff to the audit team
• Providing more supervision on the audit
• Incorporating more unpredictability into the audit procedures
• Making general changes to the nature, timing or extent of audit procedures
The evaluation of the control environment that will have taken place as part of the assessment of the client’s internal control systems will help the auditor determine what type of audit approach to take.
5.2 Responses to the risks of material misstatement at the assertion level
The ISA says that the auditor shall design and perform further audit procedures whose nature, timing and extent are based on and are responsive to the assessed risks of material misstatement at the assertion level. ‘Nature’ refers to the purpose and the type of test that is carried out, which include tests of controls and substantive tests.
5.2.1 Tests of controls
Tests of controls are audit procedures designed to evaluate the operating effectiveness of controls in preventing, or detecting and correcting, material misstatements at the assertion level.
When the auditor’s risk assessment includes an expectation that controls are operating effectively, the auditor shall design and perform tests of controls to obtain sufficient appropriate audit evidence that the controls were operating.
The auditor shall also undertake tests of control when it will not be possible to obtain sufficient appropriate audit evidence simply from substantive procedures. This might be the case if the entity conducts its business using IT systems which do not produce documentation of transactions.
In carrying out tests of control, auditors shall use inquiry, but shall also use other procedures. Re-performance and inspection will often be helpful procedures.
When considering timing in relation to tests of controls, the purpose of the test will be important. For example, if the company carries out a year-end inventory count, controls over the inventory count can only be tested at the year-end. Other controls will operate all year round, and the auditor may need to test that those controls have been effective throughout the period.
Some controls may have been tested in prior audits and the auditor may choose to rely on that evidence of their effectiveness. If this is the case, the auditor shall obtain evidence about any changes since the controls were last tested and shall test the controls if they have changed. In any case, controls shall be tested for effectiveness at least once in every three audits.
If the related risk has been designated a significant risk, the auditor shall not rely on testing done in prior years, but shall perform testing in the current year.
5.2.2 Substantive procedures
Substantive procedures are audit procedures designed to detect material misstatements at the assertion level. They consist of tests of details of classes of transactions, account balances and disclosures, and substantive analytical procedures.
The auditor shall always carry out substantive procedures on material items. The ISA says that irrespective of the assessed risk of material misstatement, the auditor shall design and perform substantive procedures for each material class of transactions, account balance and disclosure.
In addition, the auditor shall carry out the following substantive procedures:
• Agreeing or reconciling the financial statements to the underlying accounting records
• Examining material journal entries
• Examining other adjustments made in preparing the financial statements
Substantive procedures fall into two categories: analytical procedures and tests of details. The auditor must determine when it is appropriate to use which type of substantive procedure.
Analytical procedures as substantive procedures tend to be appropriate for large volumes of predictable transactions (for example, wages and salaries). Tests of detail may be appropriate to gain information about account balances for example, inventory or trade receivables.
Tests of detail rather than analytical procedures are likely to be more appropriate with regard to matters which have been identified as significant risks, but the auditor must develop procedures that are specifically responsive to that risk, which may include analytical procedures. Significant risks are likely to be the most difficult to obtain sufficient appropriate audit evidence about.
6 Fraud, law and regulations
6.1 What is fraud?
Fraud is an intentional act by one or more individuals among management, those charged with governance, employees or third parties involving the use of deception to obtain an unjust or illegal advantage. Fraud may be perpetrated by an individual, or colluded in, with people internal or external to the business.
Fraud risk factors are events or conditions that indicate an incentive or pressure to commit fraud or provide an opportunity to commit fraud.
Fraud is a wide legal concept, but the auditor’s main concern is with fraud that causes a material misstatement in financial statements. It is distinguished from error, which is when a material misstatement is caused by mistake, for example, in the misapplication of an accounting policy.
Specifically, there are two types of fraud causing material misstatement in financial statements:
• Fraudulent financial reporting
• Misappropriation of assets
6.1.1 Fraudulent financial reporting
Fraudulent financial reporting involves intentional misstatements, including omissions of amounts or disclosures in financial statements, to deceive financial statement users.
This may include:
• Manipulation, falsification or alteration of accounting records/supporting documents
• Misrepresentation (or omission) of events or transactions in the financial statements
• Intentional misapplication of accounting principles
Such fraud may be carried out by overriding controls that would otherwise appear to be operating effectively, for example, by recording fictitious journal entries or improperly adjusting assumptions or estimates used in financial reporting.
6.1.2 Misappropriation of assets
Misappropriation of assets involves the theft of an entity’s assets and is often perpetrated by employees in relatively small and immaterial amounts. However, it can also involve management who are usually more capable of disguising or concealing misappropriations in ways that are difficult to detect.
This is the theft of the entity’s assets (for example, cash, inventory). Employees may be involved in such fraud in small and immaterial amounts, but it can also be carried out on a larger scale by management who may then conceal the misappropriation, for example by:
• Embezzling receipts (for example, diverting them to private bank accounts)
• Stealing physical assets or intellectual property (inventory, selling data)
• Causing an entity to pay for goods not received (payments to fictitious vendors) • Using assets for personal use
6.2 Fraud and the auditor
ISA 240 The auditor’s responsibilities relating to fraud in an audit of financial statements provides guidance to auditors in this area.
6.2.1 Responsibilities of management and auditors
The primary responsibility for the prevention and detection of fraud is with those charged with governance and the management of an entity. This is effected by having a commitment to creating a culture of honesty and ethical behaviour and active oversight by those charged with governance.
The auditor is responsible for obtaining reasonable assurance that the financial statements are free from material misstatement, whether caused by fraud or error. The risk of not detecting a material misstatement from fraud is higher than from error because of the following reasons:
• Fraud may involve sophisticated schemes designed to conceal it.
• Fraud may be perpetrated by individuals in collusion.
• Management fraud is harder to detect because management is in a position to manipulate accounting records or override control procedures.
The auditor is responsible for maintaining professional scepticism throughout the audit, considering the possibility of management override of controls, and recognising that audit procedures effective for detecting errors may not be effective for detecting fraud.
6.2.2 Risk assessment
ISA 315 requires a discussion among team members that places particular emphasis on how and where the financial statements may be susceptible to fraud.
Risk assessment procedures to obtain information in identifying the risks of material misstatement due to fraud shall include the following:
(i) Inquiries of management regarding:
• Management’s assessment of the risk that the financial statements may be misstated due to fraud
• Management’s process for identifying and responding to the risk of fraud
• Management’s communication to those charged with governance in respect
of its process for identifying and responding to the risk of fraud
• Management’s communication to employees regarding its views on business practices and ethical behaviour
• Knowledge of any actual, suspected or alleged fraud
(ii) Inquiries of internal audit for knowledge of any actual, suspected or alleged fraud, and its views on the risks of fraud
(iii) Obtaining an understanding of how those charged with governance oversee management’s processes for identifying and responding to the risk of fraud and the internal control established to mitigate these risks
(iv) Inquiries of those charged with governance for knowledge of any actual, suspected or alleged fraud
(v) Evaluating whether any unusual relationships have been identified in performing analytical procedures that may indicate risk of material misstatement due to fraud
(vi) Considering whether any other information may indicate risk of material misstatement due to fraud
(vii) Evaluating whether any fraud risk factors are present
In accordance with ISA 315, the auditor shall identify and assess the risks of material misstatement due to fraud at the financial statement level and at the assertion level for classes of transactions, account balances and disclosures. These risks shall be treated as significant risks.
In accordance with ISA 330, the auditor shall determine overall responses to address the assessed risks of material misstatement due to fraud at the financial statement level. In this regard, the auditor shall:
• Assign and supervise staff responsible taking into account their knowledge, skill and ability.
• Evaluate whether the accounting policies may be indicative of fraudulent financial reporting.
• Incorporate unpredictability in the selection of the nature, timing and extent of audit procedures.
6.2.3 Communication to management and those charged with governance
If the auditor identifies fraud or receives information that a fraud may exist, the auditor shall report this on a timely basis to the appropriate level of management.
If the auditor identifies or suspects fraud involving management, employees with significant roles in internal control, and others where fraud could have a material effect on the financial statements, he shall communicate this on a timely basis to those charged with governance.
The auditor also needs to consider whether there is a responsibility to report to the regulatory or enforcement authorities – the auditor’s professional duty of confidentiality may be overridden by laws and statutes in certain jurisdictions.
6.3 Law and regulations
The auditor is also required to consider the issue of law and regulations in the audit. Auditors are given guidance in ISA 250 Consideration of laws and regulations in an audit of financial statements, the objectives of the auditor are:
• To obtain sufficient appropriate audit evidence regarding compliance with the provisions of those laws and regulations that have a direct effect on the determination of material amounts and disclosures in the financial statements
• To perform specified audit procedures to help identify non-compliance with other laws and regulations that may have a material effect on the financial statements
• To respond appropriately to non-compliance/suspected non-compliance identified during the audit
6.3.1 Responsibilities of management and auditors
It is management’s responsibility to ensure that the entity complies with the relevant laws and regulations. It is not the auditor’s responsibility to prevent or detect non-compliance with laws and regulations.
The auditor’s responsibility is to obtain reasonable assurance that the financial statements are free from material misstatement, and in this respect, the auditor must take into account the legal and regulatory framework within which the entity operates.
ISA 250 distinguishes the auditor’s responsibilities in relation to compliance with two different categories of laws and regulations:
• Those that have a direct effect on the determination of material amounts and disclosures in the financial statements
• Those that do not have a direct effect on the determination of material amounts and disclosures in the financial statements but where compliance may be fundamental to the operating aspects, ability to continue in business, or to avoid material penalties
For the first category, the auditor’s responsibility is to obtain sufficient appropriate audit evidence about compliance with those laws and regulations.
For the second category, the auditor’s responsibility is to undertake specified audit procedures to help identify non-compliance with laws and regulations that may have a material effect on the financial statements. These include inquiries of management and inspecting correspondence with the relevant licensing or regulatory authorities.
6.3.2 Audit procedures
In accordance with ISA 315, the auditor shall obtain a general understanding of:
• The applicable legal and regulatory framework
• How the entity complies with that framework
The auditor can achieve this understanding by using his/her existing understanding and updating it, and making inquiries of management about other laws and regulations that may affect the entity, about its policies and procedures for ensuring compliance, and about its policies and procedures for identifying, evaluating and accounting for litigation claims.
The auditor shall remain alert throughout the audit to the possibility that other audit procedures may bring instances of non-compliance or suspected non-compliance to the auditor’s attention. These audit procedures could include:
• Reading minutes
• Making inquiries of management and in-house/external legal advisors regarding litigation, claims and assessments
• Performing substantive tests of details of classes of transactions, account balances or disclosures
The auditor shall request written representations from management that all known instances of noncompliance or suspected non-compliance with laws and regulations whose effects should be considered when preparing the financial statements have been disclosed to the auditor.
6.3.3 Audit procedures when non-compliance is identified or suspected
The following factors may indicate non-compliance with laws and regulations:
• Investigations by regulatory authorities and government departments
• Payment of fines or penalties
• Payments for unspecified services or loans to consultants, related parties, employees or government employees
• Sales commissions or agents’ fees that appear excessive
• Purchasing at prices significantly above/below market price
• Unusual payments in cash
• Unusual transactions with companies registered in tax havens
• Payment for goods and services made to a country different to the one in which the goods and services originated
• Payments without proper exchange control documentation
• Existence of an information system that fails to provide an adequate audit trail or sufficient evidence
• Unauthorised transactions or improperly recorded transactions
• Adverse media comment
The following is a summary of audit procedures to be performed when non-compliance is identified or suspected.
• Obtain understanding of nature of act and circumstances.
• Obtain further information to evaluate possible effect on financial statements.
• Discuss with management and those charged with governance.
• Consider need to obtain legal advice if sufficient information not provided and matter is material.
• Evaluate effect on auditor’s opinion if sufficient information not obtained.
• Evaluate implications on risk assessment and reliability of written representations.
6.3.4 Reporting identified or suspected non-compliance
The auditor shall communicate with those charged with governance, but if the auditor suspects that those charged with governance are involved, the auditor shall communicate with the next higher level of authority such as the audit committee or supervisory board. If this does not exist, the auditor shall consider the need to obtain legal advice.
The auditor shall consider the impact on the auditor’s report if he/she concludes that the non-compliance has a material effect on the financial statements and has not been adequately reflected or is prevented by management and those charged with governance from obtaining sufficient appropriate audit evidence to evaluate whether non-compliance is material to the financial statements.
The auditor shall determine whether identified or suspected non-compliance has to be reported to the regulatory and enforcement authorities. Although the auditor must maintain the fundamental principle of confidentiality, in some jurisdictions the duty of confidentiality may be overridden by law or statute.
7 Documentation of risk assessment
The need for auditors to document their audit work is discussed in the next chapter where we will look in particular at the audit plan and the audit strategy, two documents for
planning. ISAs 315 and 330 contain a number of general requirements about documentation, and we shall briefly run through those here.
The following matters shall be documented during planning
• The discussion among the audit team concerning the susceptibility of the financial statements to material misstatements, including any significant decisions reached
• Key elements of the understanding gained of the entity regarding the elements of the entity and its internal control components specified in ISA 315, the sources of the information gained and the risk assessment procedures carried out
• The identified and assessed risks of material misstatement at the financial statement level and at the assertion level
• Risks identified and related controls evaluated
• The overall responses to address the risks of material misstatement at the financial statement level
• Nature, extent and timing of further audit procedures linked to the assessed risks at the assertion level
• Results of audit procedures
• If the auditors have relied on evidence about the effectiveness of controls from previous audits, conclusions about how this is appropriate
• Demonstration that the financial statements agree or reconcile with the underlying accounting records
8 Audit planning
Planning an audit involves establishing the overall audit strategy for the engagement and developing an audit plan. Adequate planning benefits the audit of financial statements in several ways, including the following noted, but simply put planning is required because an audit is an expensive process and a potentially complex project which needs to be managed effectively.
8.1 The importance of planning
An effective and efficient audit relies on proper planning procedures. The planning process is covered in general terms by ISA 300 Planning an audit of financial statements which states that the auditor shall plan the audit so that the engagement is performed in an effective manner.
Audits are planned to:
• Help the auditor devote appropriate attention to important areas of the audit.
• Help the auditor identify and resolve potential problems on a timely basis.
• Help the auditor properly organise and manage the audit so it is performed in an effective manner.
• Assist in the selection of appropriate team members and assignment of work to them.
• Facilitate the direction, supervision and review of work.
• Assist in coordination of work done by auditors of components and experts.
Audit procedures should be discussed with the client’s management, staff and/or audit committee in order to co-ordinate audit work, including that of internal audit. However, all audit procedures remain the responsibility of the external auditors.
A structured approach to planning will include:
Auditors must ensure that ethical requirements are met, including independence
Auditors must ensure the terms of the engagement are understood
Auditors must establish the overall audit strategy that sets the scope, timing and direction of the audit and guides the development of the audit plan
• Identify the characteristics of the engagement that define its scope.
• Ascertain the reporting objectives to plan the timing of the audit and nature of communications required.
• Consider significant factors in directing the team’s efforts.
• Consider results of preliminary engagement activities.
• Ascertain nature, timing and extent of resources necessary to perform the engagement.
Finally auditors develop audit plan that includes the nature, timing and extent of planned risk assessment procedures and further audit procedures
8.2 The overall audit strategy and the audit plan
The overall audit strategy and audit plan shall be updated and changed as necessary during the course of the audit.
8.2.1 The audit strategy
Audit strategy is defined as the planning process to develop an efficient and effective audit which includes making decisions in relation to the scope of the audit, the general evidence requirements for the forming of an opinion, and the initial choice as to the nature, timing and extent of audit procedures to make efficient use of resources.
The matters the auditor may consider in establishing an overall audit strategy are set out below.
Matters to consider in the overall audit strategy
(i) Characteristics of the engagement
• Financial reporting framework
• Industry-specific reporting requirements
• Expected audit coverage
• Nature of business segments
• Availability of internal audit work
• Use of service organisations
• Effect of information technology on audit procedures • Availability of client personnel and data
(ii) Reporting objectives, timing of the audit and nature of communications
• Entity’s timetable for reporting
• Organisation of meetings with management and those charged with governance
• Discussions with management and those charged with governance
• Expected communications with third parties
(iii) Significant factors, preliminary engagement activities, and knowledge gained on other engagements
• Determination of materiality
• Areas identified with higher risk of material misstatement
• Results of previous audits
• Need to maintain professional scepticism
• Evidence of management’s commitment to design, implementation and
maintenance of sound internal control
• Volume of transactions
• Significant business developments
• Significant industry developments
• Significant changes in financial reporting framework
• Other significant recent developments
(iv) Nature, timing and extent of resources
• Selection of engagement team
• Assignment of work to team members
• Engagement budgeting
Examples of items to include in the overall audit strategy could be:
• Industry-specific financial reporting requirements
• Number of locations to be visited
• Audit client’s timetable for reporting to its members
• Communication between the audit team and the client
22.214.171.124 The impact of fraud on the audit strategy
Fraud may lead to a material misstatement in the financial statements. If the auditor assesses that the risk of fraud is high, there is an increased probability of misstatement. The impact on the audit strategy may be:
• A reduction in the materiality level set
• An increase level of testing in the areas where fraud is suspected.
• A reduced reliance on evidence generated internally by the client.
• An increased focus on externally generated evidence.
• If senior management is suspected of involvement with the fraud, a reduced reliance on management representations.
9 The audit plan
The audit plan converts the audit strategy into a more detailed plan and includes the nature, timing and extent of audit procedures to be performed by engagement team members in order to obtain sufficient appropriate audit evidence to reduce audit risk to an acceptably low level.
The audit plan shall include the following:
• A description of the nature, timing and extent of planned risk assessment procedures
• A description of the nature, timing and extent of planned further audit procedures at the assertion level
• Other planned audit procedures required to be carried out for the engagement to comply with ISAs
The planning for these procedures occurs over the course of the audit as the audit plan develops.
Examples of items included in the audit plan could be:
• Timetable of planned audit work
• Allocation of work to audit team members
• Audit procedures for each major account area (e.g. inventory, receivables, cash
• Materiality for the financial statements as a whole and performance materiality Any changes made during the audit engagement to the overall audit strategy or audit plan, and the reasons for such changes, shall be included in the audit documentation.
9.1 Interim and final audits
Auditors usually carry out their audit work for a financial year in one or more sittings. These are referred to as the interim audit(s) and the final audit.
The interim audit visits are carried out during the period of review and work focuses on planning and risk assessment and tests of controls and systems, although substantive audit procedures may also be carried out. The final audit visit is at the year-end or shortly after and work focuses on the audit of the financial statements.
ISA 330 The auditor’s responses to assessed risks states that the higher the risk of material misstatement, the more likely it is that the auditor will decide that it is more effective to undertake substantive procedures nearer to, or at, the period-end rather than earlier. However, performing audit procedures before the period-end can assist in identifying significant matters at an early stage of the audit and being able to resolve them with management’s assistance or developing an effective audit approach to address them.
Auditors must obtain evidence that controls have operated effectively throughout the period. ISA 330 states that when the auditor obtains evidence about the operating effectiveness of controls during an interim audit visit, the auditor must determine what additional audit evidence should be obtained for the remaining period.
The ISA makes a similar observation with regard to substantive procedures: when substantive procedures are performed at an interim audit visit, the auditor shall perform further substantive procedures or substantive procedures combined with tests of controls to cover the remaining period that provide a reasonable basis for extending the audit conclusions from the interim date to the period-end.
Some audit procedures can only be performed at the final audit visit, such as agreeing the financial statements to the accounting records and examining adjustments made during the process of preparing the financial statements.
9.2 Documenting the planning process
The auditor is required by ISAs 315 and 330 to document the following (which may be contained within or referred to in the audit strategy):
• The discussion among the audit team concerning the susceptibility of the financial statements to material misstatements, including any significant decisions reached.
• Key elements of the understanding gained of the entity including the elements of the entity and its control specified in the ISA as mandatory, the sources of the information gained and the risk assessment procedures carried out.
• The identified and assessed risks of material misstatement.
• Significant risks identified and related controls evaluated.
• The overall responses to address the risks of material misstatement
• Nature, extent and timing of further audit procedures linked to the assessed risks at the assertion level.
• The results of the audit procedures including the conclusions where these are not otherwise clear.
• If the auditors have relied on evidence about the effectiveness of controls from previous audits, conclusions about how this is appropriate.
10. Audit program
An auditor prepares a plan after the selection of senior and junior staffs allocating the jobs to them, mentioning when to start, how to do the work etc. This plan is known as audit program. An auditor should include all the procedures in written form, objectives of each sector and all the directions which are to be given to the staffs which helps to control their works and helps to implement such programs into action. Following are the facts regarding meaning of audit program:
• Audit program is a detailed work plan which includes the time of doing work and how to do the works.
• Audit program includes audit procedures
• Audit program estimates the duration to complete the audit task
• Senior staffs prepare audit program to junior staffs on the basis of nature of business
• Generally accepted points are included in the audit program
• Audit team members put tick marks in the completed tasks
10.1 Contents of audit program
Audit program is a detailed program which helps to guide and control the junior staffs. Audit program classifies the work of junior audit team members which helps to complete the audit task without leaving any points uncovered. Audit program is prepared on all the programs, nature and size of business, internal check and internal control.
The contents are as follows.
• Detailed information of instructions of all the audit team members like audit of bank/ cash book, purchase book, sales book etc.
• Auditor should prepare audit program considering the nature of client.
• Separate list of work assigned to team member
• Time period to complete task assigned
• Signature of audit staff to indicate completion of task
10.2 Objectives of audit programs
Audit program has the following objectives:
(a) Audit program helps to check systematically the books of accounts which help to conduct an effective audit.
(b) Audit program specifies the time period clearly, which helps to complete the work of audit in less time.
(c) The signature that audit staff writes after the completion of work specifies the responsibility and accountability of audit team members. It also helps to prove the completion of task.
(d) Helps review of proposed scope of audit preparing proper plan.
(e) Audit program shows the way to the new staffs to perform work of audit.
10.3 Advantages of audit program
(a) Audit program saves time and labour
All the directions which are to be given to assistant are clearly stated in the audit program which helps to complete the task in time. Audit program also helps to conduct the audit of the business in coming years which saves time and labour.
(b) Audit program increases efficiency
All the responsibilities of auditor are divided among the number of staffs considering their skill and intelligence which helps to complete the work of audit properly. Similarly, the works are divided among the assistant staffs on the basis of their calibre which helps to increase efficiency.
(c) Audit program helps to control
An auditor can compare the work performed by the assistants on the basis of audit program which helps to control their work if there are any deficiencies.
(d) Audit program helps to maintain uniformity
Tasks are divided among the team members; so there is no any chance of leaving non audited statements. If the work of audit is performed on the basis of audit program every year, uniformity can be maintained in the work of audit which helps to compare the report of various years.
(e) Audit program helps in accountability
Work of juniors is clearly defined in the audit program and assistant puts signature in the completed work and this makes them liable for such work.
(f) Audit program helps to maintain continuity
Audit program clearly shows the completed task and procedures of doing work. So, if any staff leaves the job or remains absent, new staff can easily continue the job of audit.
(g) Audit program helps to present as proof
Auditor can present audit program as proof if he/she has been accused of misfeasance or negligence and can get clearance from such accusation. Audit program can be presented in the court also as evidence.
10.4 Disadvantages of audit program
Even though audit program has number of advantages, it is not free from limitations. Some of the major disadvantages of audit program are as follows:
(a) Audit program harasses audit staff
All the staffs should perform task within the limitation given in audit program. Audit staff cannot use their knowledge and calibre or creativity and this harasses them.
Nature and size of business differs. The audit program which is prepared at the beginning of the year remains unsuitable. Different organizations may have their own problems; hence similar type of program may not be applicable to all.
(c) Audit program is unsuitable to small concern
Small concern has less transactions and work of audit can be completed in short period of time. So, audit program is not essential to audit such concern.
(d) Exclusion of Problems of new technology
New techniques and technologies are used in the work of accounting. Such technology creates the problem in the work of audit but such problems and remedial measures are not included in the audit program.
10.5 Types of audit program
Audit program can be classified into following two groups such as fixed audit program and flexible audit program
10.5.1 Fixed audit program/ Standardised Audit program
Generally, auditor prepares audit program on the suggestions and recommendation of assistant staffs but such program cannot be changed during the course of audit which is known as fixed audit program. Such program, due to pace of time or change in the situation and size of the client needs to change even though it cannot be changed. Fixed audit Program can be used in all the organizations
Advantages of fixed audit program
(a) Fixed audit programs are prepared once and program is used in all the organization. So, it saves time and cost.
(b) All the works are completed within the stipulated time because auditor does not change such program on the request of assistant staff.
(c) Audit program fixes the responsibility of assistant staffs. So, they know their responsibility and complete their work in time which helps to prepare and present report in time.
Disadvantages of fixed audit program
(a) Such program is rigid and then it cannot be used in all organizations because nature and size of all the businesses do not remain same.
(b) Same program will not be useful in the big and small organizations.
(c) Fixed audit program is unscientific and impracticable because it does not incorporate the changes caused by time and situation.
(d) Fixed audit program harasses the staffs because intelligent staffs cannot use their skill and knowledge.
10.5.2. Flexible audit program
An audit program which can be changed as per the need, time, nature of business and auditing standard is known as flexible audit program. Such program should be reviewed on the recommendations and suggestions of assistants. Such change can be made due to change in number of work, nature of business, change in management and their feelings. It is just taken as helping part but assistants can use their knowledge, calibre and intelligence.
Advantages of flexible audit program
(a) Auditing remains effective because it can be changed if the change is made in the nature and size of business.
(b) Assistant audit staff members remain happy because such programs are prepared incorporating to the problems of assistant staffs.