Save content
Have you found this content useful? Use the button above to save it to your profile.
AIA

Audit planning: Be prepared

by
10th Jul 2012
Save content
Have you found this content useful? Use the button above to save it to your profile.

As a follow-up to his article on audit completion, Steve Collings turns his attention to planning - one of the most crucial elements of the audit process.

Audit planning is one of the most crucial aspects of an audit because without undertaking a sufficient programme of planning, the auditor risks going in blind, which in turn increases audit risk - that being the risk of forming an incorrect opinion on the financial statements.

The UK and Ireland international audit standards (ISAs) are vast - you’ll find them in the 300 series: ISAs 300, 315, 320 and 330 - so this article cannot go into every matter an auditor must consider. The intention is to flag up some of the more important issues surrounding audit planning; practitioners are advised to consult the UK and Ireland ISAs to address any concerns or problems they encounter.

According to ISA (UK and Ireland) 300 ‘Planning an audit of financial statements’, the audit should be planned so that it will be performed in an effective manner. The standard says that planning involves establishing the overall audit strategy, which then feeds into the audit plan. ISA (UK and Ireland) 300 recognises that adequate planning will benefit the auditor in a number of ways; paragraph 2 sets out the benefits as follows:

  • Helping the auditor to devote appropriate attention to important areas of the audit.
  • Helping the auditor identify and resolve potential problems on a timely basis.
  • Helping the auditor properly organise and manage the audit engagement so that it is performed in an effective and efficient manner.
  • Assisting in the selection of team members with appropriate capabilities and competence to respond to anticipated risks, and the proper assignment of work to them.
  • Facilitating the direction and supervision of team members and the review of their work.
  • Assisting, where applicable, in coordination of work done by auditors of components and experts.

Preliminary engagement activities

ISA (UK and Ireland) 300 requires the auditor to perform “preliminary engagement activities” at the start of an audit assignment. These activities let the auditor identify and evaluate events or circumstances that undermine their ability to plan and perform the audit. At the start of an audit, paragraph 6 to ISA (UK and Ireland) 300 requires the auditor to:

  • Perform procedures required by ISA (UK and Ireland) 220 ‘Quality control for an audit of financial statements’ regarding the continuance of the client relationship and the specific audit engagement.
  • Evaluate compliance with relevant ethical requirements, including independence, in accordance with ISA (UK and Ireland) 220.
  • Establish an understanding of the engagement terms, as required under ISA (UK and Ireland) 210, ‘Agreeing the terms of audit engagements’.

The Application and Other Explanatory Material within ISA 300 at paragraph A6 gives examples of why these activities should be performed:

  • Ensuring the auditor maintains necessary independence and ability to perform the engagement.
  • Ensuring there are no issues with management’s integrity that may affect the auditor’s willingness to continue the engagement.
  • EEnsuring there is clear understanding with the audit client as to the terms of the engagement.

Audit strategy and audit plan

Establishing the audit strategy will help the auditor to determine various issues that arise throughout the audit (subject to the auditor’s risk assessment). The auditor needs to consider the resources that will be needed in certain high risk areas, for example, and the level of skill and experience that will need to be devoted to such areas, including the use of experts where necessary. The auditor will also need to consider the resources to assign to specific audit areas, when these resources are needed and how they will be managed.

Once the auditor has addressed these issues, the detailed audit plan can be developed. The audit plan should include the nature, timing and extent of procedures to be performed, which are all risk-based. This requires the auditor to undertake risk assessment procedures early on in the audit process and to plan the nature, timing and extent of specific further audit procedures depending on the outcome of their risk assessment procedures.

While audit planning naturally happens at the start of the audit process, it is not completed once planning is complete. The UK and Ireland ISAs recognise that planning is a “continuous and iterative” process and that changes to the original audit plan may well be needed as a result of unexpected events, changes in conditions, or as a result of evidence gathered during the detailed audit work, such as when audit evidence reveals matters that differ significantly from the information that was available to the auditor during the original planning.

Direction, supervision and review

Many auditors ask, “How much review work am I expected to complete?” The answer will depend on many factors. Many auditors may not wish to receive such a reply, but ISA (UK and Ireland) 300 acknowledges four main factors they need to consider concerning the direction and supervision of team members deployed on an audit:

  • The size and complexity of the entity.
  • The area of the audit.
  • The assessed risks of material misstatement.
  • The capabilities and competence of the individual team members performing the audit work.

Identifying the risks of material misstatement

The auditor needs to have a clear understanding of the audit client to identify the risks of material misstatement. ISA (UK and Ireland) 315 says an auditor’s objective is to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels. This ability comes from understanding the entity and its environment, including its internal controls, which will provide a basis for designing and implementing responses to the assessed risks of material misstatement, as dealt with in ISA (UK and Ireland) 330.

Some aspects of understanding an entity not covered in full by this article, but still worth noting include:

  • What the entity does and how it conducts its operations.
  • The industry sector in which the entity operates.
  • External factors that affect the entity.
  • How it is financed.
  • Group structure (where applicable), including subsidiaries, associates, joint ventures etc.
  • Objectives and strategies of the entity.
  • The effectiveness of its internal control.
  • How managers identify and analyse risks facing the business and how they respond to those risks.
  • Significant financial reporting issues and accounting estimates.

In addition gaining an understanding of the client’s control environment, the auditor must also evaluate whether management, with the oversight of those charged with governance, has created and maintained a culture of honesty and ethical behaviour. Do the control environment elements collectively provide an appropriate foundation for the other components of internal control, and could those other components be undermined by deficiencies in the control environment? This requirement is frequently missed out and is on the hot lists of some file reviewers, as it is specifically covered by paragraphs 14 (a) and (b) in ISA (UK and Ireland) 315.

Risk assessment

ISA (UK and Ireland) 315 requires the auditor understand whether the audit client has processes in place to:

  • Identify business risks.
  • Estimate the significance of the risks.
  • Assess the likelihood of their occurrence.
  • Decide about actions to address those risks.

Some clients may not have an established process in place, or they may just have ad-hoc processes. In such cases the auditor must discuss with management whether business risks relevant to the objectives of financial reporting have been identified and how they have been addressed. The auditor must then consider whether the absence of a documented risk assessment process is appropriate in the circumstances, or determine whether it represents a significant internal control deficiency.

Once risk has been assessed, the auditor must implement appropriate responses to those risks. ISA (UK and Ireland) 330, ‘The auditor’s responses to assessed risks’ requires the auditor to respond to the assessed risks of material misstatement at the financial statement level. How the auditor designs these responses will be influenced by a couple of considerations covered in paragraph 7 of ISA (UK and Ireland) 330, which says the auditor shall:

  • Consider the reasons for the assessment given to the risk of material misstatement at the assertion level for each class of transactions, account balance, and disclosure including:
         §  the likelihood of material misstatement due to the particular characteristics of the relevant class of transactions, account balance, or disclosure (that is, the inherent risk); and
         §  whether the risk assessment takes account of relevant controls (that is, the control risk), thereby requiring the auditor to obtain audit evidence to determine whether the controls are operating effectively (that is, the auditor intends to rely on the operating effectiveness of controls in determining the nature, timing and extent of substantive procedures); and
  • Obtain more persuasive audit evidence the higher the auditor’s assessment of risk.

ISA (UK and Ireland) 330 requires the auditor to perform tests of controls if the auditor’s assessment of risk of material misstatement at the assertion level includes an expectation that the controls are operating effectively or where substantive procedures alone will not be able to provide sufficient appropriate audit evidence at the assertion level. However, care must be taken when placing reliance on internal controls; where the auditor places greater reliance on the effectiveness of a control, they must obtain more persuasive audit evidence.

Relying on tests of control from the previous audit

It is permissible to use evidence from previous audits concerning the operating effectiveness of specific controls, but in doing so the auditor must establish the continuing relevance of that evidence by obtaining audit evidence concerning whether any significant changes in those controls have occurred since the previous audit. Where there have been significant changes affecting the continuing relevance of previous audit evidence, the auditor must test the controls in the current audit.

However, if there have not been such changes the auditor will be required to test the controls at least once in every third audit. This does not mean that every control will be tested at least once in every third audit, because paragraph 14(b) to ISA (UK and Ireland) 330 requires the auditor to test some controls each audit so as to avoid the possibility of testing all the controls on which the auditor intends to rely in a single audit period with no testing of controls in the next two audit periods.

Where substantive tests are concerned, ISA (UK and Ireland) 330 requires substantive testing to be carried out for each material class of transaction, account balance and disclosure regardless of the assessed risks of material misstatement. The auditor must also consider whether external confirmation procedures should be performed as substantive audit procedures, so there is no getting away from the detailed “ticking and bashing” procedures.

The auditor must also comply with paragraph 20 of ISA (UK and Ireland) 330, which sets out the following audit procedures related to the financial statement closing process:

  • Agreeing or reconciling the financial statements with the underlying accounting records; and
  • Examining material journal entries and other adjustments made during the course of preparing the financial statements.

Conclusion

There are many areas in audit planning that lend themselves to misunderstanding and misinterpretation. In some cases audit firms have been criticised for the sheer lack of planning documentation on file, from which inspectors can only conclude that the amount of documentation on file reflects the actual amount of planning work that has been done. Modern auditing software usually provides a comprehensive planning memorandum and outlines the information that should be included in the planning section of the current audit file, but the most crucial point to bear in mind is to make sure the crucial planning points are fully documented.

Steve Collings is the audit and technical partner at Leavitt Walmsley Associates and the author of ‘Interpretation and Application of International Standards on Auditing’. He is also the author of ‘The AccountingWEB Guide to IFRS’ and ‘IFRS For Dummies’ and was named Accounting Technician of the Year at the 2011 British Accountancy Awards.

Tags:

Replies (0)

Please login or register to join the discussion.

There are currently no replies, be the first to post a reply.