Chapter 6

Audit Planning and Risk Assessment

Learning Objectives

1. Learn the steps of the planning process for an integrated audit.

2. Become familiar with the components that impact the audit strategy and audit plan.

3. Understand the relationship of risk assessment, materiality, and planning.

4. Define the Fraud Triangle and recognize fraud risk factors.

5. Identify triggers for reevaluating the audit strategy and audit plan.

6. Summarize important information that is documented as part of audit planning.

7. Identify changes that can be made to audit approaches for higher risk areas.

8. Explain different types of audit activities and their purposes.

Overview of the Planning and Risk Assessment Process

Exhibit 6-1

One Engagement

Planning for an integrated audit must achieve the objectives of both audits – opinion on the financial statements and opinion on ICFR

Auditor needs sufficient evidence to Assess risk Address ICFR effectiveness

For an ICFR opinion in a financial statement audit For decision on how much to rely on ICFR in a

financial statement audit Address fairness of the financial statements

Overview of Planning

Audit planning is a continuous process; the audit plan may need to be adjusted as new information is obtained

Risk assessment is integrated throughout, including assessing fraud risk

Steps in planning Establishing the audit strategy Planning the audit resources Develop the audit plan Communication on planning

Overall Audit Strategy

Big picture of the audit; auditors can do this before they do audit procedures based on Experience in and knowledge of the industry Information gained through client acceptance

process Previous audit engagements, such as quarterly

reviews Components of the audit strategy

Scope of the engagement Timing Materiality and risk Fraud risk

Audit Strategy: Scope of the Engagement

What are deliverables for this particular client?

How much and what type of work does the auditor need to do?

When and where does the work need to be done?

How should the work be scaled to fit the size, environment and complexity of the audit client?

Audit Strategy: Scope of the EngagementClient attributes that affect scope: Accounting presentation

Is the presentation US GAAP, IFRS, GASB, statutory based, other?

Entity structure Is it public or privately owned? Is it a parent or subsidiary? Does it have

multiple locations, and if so what is the materiality at the other locations?

Information technology Complexity of the system? Entity level and application controls?

Client outsourcing How important are outsourced services? How will audit address the

service provider?

Work of others How will this affect the nature, timing and extent of audit procedures?

First year vs. continuing audits

Audit Strategy: Timing

Client events that create audit deadlines Key dates for communication with

management, Audit Committee and Board of Directors

SEC deadlines for filing quarterly and annually Date at which other auditors will supply or need

audit reports Requirements of other regulators

Are audit resources (human resources) available in the right combinations at the right times?

Audit Strategy: Materiality and Risk

Materiality …the magnitude of an omission or

misstatement of accounting information that, in the light of surrounding circumstances, makes it probably that the judgment of a reasonable person relying on the information would have been changed or influenced by the omission or misstatements

Audit Strategy: Materiality and Risk

Auditors assess materiality based on whether the issue would influence the economic decisions of users with certain qualifications Appropriate knowledge Willingness to study the financial statements Understand the concept of materiality Understand measurement issues like estimates

and judgments Will make appropriate economic decisions

using the financial statements

Audit Strategy: Materiality and RiskTop Down Approach What amount is material at the financial statement level? What accounts and disclosures are significant to the financial

statements? What assertions are relevant to the significant accounts and

disclosures? What could go wrong to cause a material misstatement or omission

related to each relevant assertion in each significant account or disclosure?

Is there a control in place that is intended to prevent that event (the risk) from occurring or that will detect it on a timely basis? If yes, is the control designed sufficiently well that (if it operates effectively) it will prevent or detect the risk? If yes, does the control operate well enough (effectively) to prevent or detect the risk?

Are there any material misstatements or omissions in any significant accounts or disclosures?

Audit Strategy: Materiality and Risk Materiality includes both quantitative and

qualitative aspects; something might not be material from a quantitative perspective but have qualitative characteristics that make it material regardless of amount. Management fraud is an example of something that is material regardless of amount.

Significant risks are risks in the business that are important enough to require special audit consideration. When auditing a non-public company that does not require an ICFR opinion the auditor may not choose to rely on internal controls when planning tests of balances. Even in that situation, the auditor must identify and assess the impact of significant risks.

Audit Strategy: Materiality and Risk

Materiality Set at financial statement level and at

account balance level Planning concepts of materiality:

Tolerable misstatement (for account balances) Tolerable rate of error (for ICFR) Qualitative materiality

Auditor judgment Benchmarks or rule of thumb, or quantitative

analysis to set planning materiality

Audit Strategy: Materiality and Risk

The auditor decides what tolerable misstatement is for an account balance and tolerable rate of error is for a control.

The auditor conducts the planned audit procedures to test the account balance. In general, if the conclusion is that the account balance misstatement is less than the tolerable misstatement the auditor accepts the account balance.

If a control is effectively designed, the auditor conducts the planned audit procedures to test the operating effectiveness of the control. In general, if the conclusion is that the control’s failure rate is less than the tolerable rate of error, then the auditor concludes that the control is effective.

Audit Strategy: Fraud Risk

Preliminary assessment of fraud risk during planning; brainstorming session

Responsibility to maintain professional skepticism

Fraud Triangle: incentive, opportunity, rationalization

Auditor specifically tests the operating effectiveness of anti-fraud controls

Audit planning also includes client’s risk of illegal acts that could materially impact the financial statements

Audit Strategy: Fraud Risk

Anti-fraud controls include those: Over significant, unusual transactions

particularly late or unusual journal entries Over journal entries and adjustments made

in the period-end financial reporting process Over related party transactions Related to significant management estimates That mitigate incentives for, and pressures

on management to falsify or inappropriately manage financial results

Audit Strategy

Recent significant developments Recurring engagement: events since the last

audit New engagement: events since the client was

accepted Can be internal events or external developments Auditor spends more time on these issues

Sources of information for the audit strategy Client acceptance and continuance activities Understanding the client’s system Other engagements for the client

Planning meeting and planning memorandum

Planning the Audit Resources

Assignments of the audit team

Timing of audit workHigh-risk areasEngagement budget

Audit Resources: Assignments The work must be planned and any assistants

must be properly supervised; required by auditing standards and quality control standards Supervision includes instruction and review

The firm should match jobs to individuals based on difficulty and complexity of the job and experience and expertise of the individual

How much time of people at which levels does the audit require? Sometimes there is a trade-off – a person with greater

skills can perform the task faster and better, will require less instruction and the review will be easier

Audit Resources: Timing

Terms Interim procedures, interim date Busy season

Timing of procedures in audit plan is for best effectiveness and efficiency.

Interim work helps Discover problems earlier so the client can fix them or the auditor

can plan to spend more time on them during year end work When the client does not retain records or not in the original format

Some work must be done at or after year end ICFR audit work on the client’s year end financial reporting process Agreeing financial statements to the accounting records Examining adjustments made when preparing the financial

statements

Audit Resources: Timing

Roll forward audit procedures When procedures performed at an interim date

have to be carried forward through fiscal year end Applies to ICFR work for financial statement

and ICFR audits Does a control that was tested at an interim date

continue to operate in the same way (either good or bad) through the end of the year?

Applies to financial statement audit work Reconcile an account balance tested at an interim

date with the year end account balance

Audit Resources: High Risk Areas Based on risk assessment procedures More audit effort is directed toward high risk areas

e.g., more tests, more experienced staff, specialists Specialist: a person or firm possessing special skill or knowledge in

a particular field other than accounting or auditing Can work for client, CPA firm or may be an outsider Audit evaluates qualifications and work of specialist before using

it If specialist’s work is unreasonable, auditor does more work Examples: actuaries, appraisers, engineers, environmental

consultants, geologists, lawyers A professional particularly knowledgeable about IT may be needed

Computer system is pervasive and critical to operations; is new, recently changed, complex; uses emerging technology; used for e-commerce

Audit Resources: High Risk Areas

IT expert’s potential contributions to the audit Determining the effect of IT on the audit Understanding the IT controls Designing and performing tests of IT

controls Designing and performing IT-related or

IT-based substantive procedures

Audit Resources: Engagement Budget Audit planning includes preparing a preliminary time budget

Detailed by areas of the audit Indicates anticipated time of professionals at various

experience levels for each area Purposes and uses of a time budget

Planning engagements Evaluating staff Managing the firm

Audit professionals track and report time spent on the engagement Firm can compare budget with actual outcomes Budgeted to actual is used for billing, evaluating staff

performance and bidding on future engagements

Develop the Audit Plan

Nature, timing and extent of audit procedures

Top down approach Different types of audit

procedures

Audit Plan: Nature, Timing and Extent First the auditor has to know:

Management assertions (which requires knowing which accounts are important), materiality, risk, timing driven by client specifics

Terms are used a lot; meaning is simple: Nature is type of test, control or substantive, and

which specific audit procedures is to be performed Timing is when it is to be performed;

considerations are having audit resources available, evidence availability, being able to test the period for which evidence is needed

Extent is quantity of testing to be performed

Audit Plan: Nature, Timing and Extent Nature: Tests of controls

For ICFR audit, the auditor must test controls For financial statement audit, auditor tests those controls that

are to be relied upon – for entire period of planned reliance If a significant account, type of transaction, or disclosure is

susceptible to material misstatement, the auditor defines what causes that susceptibility. If a control exists that is effectively designed to prevent or detect the event that will cause the account or disclosure to be materially misstated, the auditor plans how to test the controls operating effectiveness.

Nature: Substantive Procedures Purpose is straightforward, tests are planned to detect material

misstatements that exist in the financial statements Nature: Types of procedures to obtain audit evidence

Inspection, observation, inquiry, external confirmation, recalculation, reperformance, analytical procedures

Audit Plan: Nature, Timing and Extent

Extent: If test are properly designed for the audit issue being evaluated, the assumption is that more testing provides more evidence.

Extent considerations includes sampling decisions

Discussed more in later chapters Properly designed sampling approaches can

provide sufficient evidence to permit the auditor to draw valid conclusions without examining all the transactions

Audit Plan: Top Down Approach

How to plan substantive audit steps…identify, assess and decide upon: Significant accounts, transactions or

disclosures Relevant assertions for them Risks of material misstatement related to

those assertions Substantive audit procedures to address

those possible material misstatements

Audit Plan: Top Down Approach

How to plan control audit steps…identify, assess and decide upon: Significant accounts, transactions or

disclosures Relevant assertions for them Risks of material misstatement related to

those assertions Causes of the risks Controls that address the causes of the risks Tests of the controls

Audit Plan: Types of Audit Procedures Audit evidence: an accumulation of activities,

documents and information that persuades the auditor to have reasonable assurance that management’s assertions are appropriate.

AS 5, to test controls: Inquiries, inspection of documents, observation,

reperformance Walkthrough is the term for tracing a transaction

through initiation, authorization, processing and recording.

Walkthroughs are used to understand the system and assess design effectiveness

Audit Plan: Types of Audit Procedures

Audit procedures for a financial statement audit include those listed by AS 5 for controls, and more: Inspection of records, documents, tangible

assets Observation Inquiry External confirmation Recalculation Reperformance Analytical procedures

Communication on Planning

After initial audit planning, auditor may meet with management

Auditor may provide an overview of the plan for the audit

Auditor provides general information about scope and timing, but not a level of detail that would compromise the audit’s effectiveness

Overview of Planning

Exhibit 6-9

Appendix A: Using the Work of Others

Other Independent Auditors vs. “Others”

Sometimes more than one independent auditor works on an audit Auditor who does the most is called the principle

auditor Principle auditor must decide whether it was

sufficiently involved in the work of the other firm to take responsibility for the conclusions on that work

Impacts the audit report “Work of others” guidance does not address

the principal auditor – other auditors situation

Deciding to Rely on the Work of Others

In deciding whether to rely on the work of others in planning and executing the audit, the auditor must evaluate The individual who performed the work

Competence objectivity

The subject matter or target of the work performed Materiality Risk associated with controls Subjectivity of the evaluations in the procedures

Effect on the Independent Auditor’s Work

The auditor will be very careful in deciding whether to use the work of others that has been done on the control environment since that work has such a big impact on other decisions in the audit.

When a account, disclosure or control is associated with greater risk (including because of materiality) the auditor performs more work personally and relies less on the work of others.

The work of others may cause the auditor to change the nature, timing and extent of audit procedures; can result in either more or less audit attention to a particular area.

Effect on the Independent Auditor’s Work The auditor relies less on the work of others if more

judgment is required to determine whether a misstatement is important or a control is performing effectively.

The auditor does more work personally on controls over period-end financial reporting because problems in this process present significant risk of misstatement to the financial statements.

Accounts that incorporate important estimates or judgments made by management require more personal work by the auditor and less use of the work of others; e.g., revenue recognition, collectibility of receivables, appropriate accounting for derivatives.

Effect on the Independent Auditor’s Work

If an account is susceptible to management override the auditor relies less on the work of others.

Some accounts may have a low enough risk of material misstatement that the auditor may choose to rely on the work of others rather than performing procedures; possibilities are existence of cash, prepaid assets and fixed asset additions.

High risk and judgment needs can cause the auditor to perform more audit work in addition to that performed by others; examples are Valuations requiring significant estimates Related party transactions, contingencies, uncertainties,

subsequent events

Evaluating and Testing Other’s Work Auditor must decide how much evaluation and testing

to do on the work of others; professional judgment How much will the work of others affect audit

decisions? How competent and objective is the other person? What were the accounts and controls the other

person worked on? Procedures to test work of others

Examine some of the controls, transactions or balances that others examined and compare results

Examine controls, transactions or balances similar to the ones examined by others and compare results

Audit Impact of Work of Others The auditor can consider the work of others in

planning and performing audit procedures; can either increase or decrease audit work because of the work of others and results

Others can actually provide direct assistance on the audit; auditor must: Assess competence and objectivity Supervise, review, evaluate, and test work Inform works on responsibilities, objectives of

procedures, important accounting and auditing matters, need to report significant findings to the auditor

Copyright

“Copyright © 2011 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express written permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.”