Save content
Have you found this content useful? Use the button above to save it to your profile.
AIA

Effective audit planning. By Steve Collings

by
9th Jun 2008
Save content
Have you found this content useful? Use the button above to save it to your profile.

Reading various press releases/articles in the accounting media it seems that QAD visits are highlighting that firms of accountants are still having problems in complying with the International Standards on Auditing (ISAs). Unsurprisingly, the ISA that is causing the main headache for firms is ISA 315 ‘Understanding the entity and its environment’.

The ISA regime has been with us for a couple of years now – so why are firms still struggling to do everything that is required by ISA 315?

The first thing that springs to mind is the sheer content of ISA 315. At thirty six pages long it comes as no surprise that firms may be failing to undertake every aspect of the ISA in question. Second is an issue I raised in a previous article – cost.

This article aims to highlight the key contents of ISA 315 in a summary form in order to help practitioners identify where there might be scope for improvement at firm level. For obvious reasons, this article cannot go into a large amount of technical detail.

The purpose of ISA 315 is to establish a standard that aims to provide guidance for audit firms in understanding their audit client, the environment the client operates in and the risks it faces. The risks can be split into two individual components: business risks (the external risks) and financial statement risks (risks of financial statement misstatement).

Paragraph 2 of ISA 315 states “the auditor should obtain an understanding of the entity and its environment, including its internal controls, sufficient to identify and assess the risks of material misstatement of the financial statements whether due to fraud or error, and sufficient design and perform further audit procedures”.

In other words the auditor should understand how the client operates and whether they have sufficient controls in place. Then consider the audit procedures that need to be adopted in each key audit area.

ISA 315 states that the auditor should:

  • undertake a risk assessment including assessing the clients internal controls;
  • assess the risks of material misstatement within the financial statements;
  • understand the entity and its environment, including its internal controls;
  • communicate with those charged with governance (see also ISA 260); and
  • document the understanding and the risks (see also ISA 330).

So what is involved in a risk assessment?

In a nutshell all a risk assessment involves at the planning stage is (a) identifying the risks the client faces, both internally and externally and (b) assessing how those identified risks impact on the financial statements i.e. could the financial statements be materially misstated as a result of those identified risks?

In order to obtain an understanding of an audit client and the environment in which it operates, the auditor needs to obtain varying degrees of information. Undeniably there will be information held about the client on last year’s current audit file and most certainly on the permanent audit file – but the question you need to ask at the outset of every audit is how up to date is that information?

In order to undertake an effective risk assessment, the auditor should:

  • inquire of management and others within the entity;
  • undertake analytical procedures; and
  • observe and inspect.

Inquiries with management will often assist the auditor understand the environment in which the entity operates and the internal controls the client has adopted. However, inquiries with management alone may not be sufficient. It may be more appropriate to speak to staff at operational level. This is not suggesting that management may be divorced from the day to day aspects of the business, however, in a large manufacturing company, for example, it may help the auditor gauge a better understanding from those that are ‘hands on’. An example may be asking the warehouse staff about how they do the stocktake.

Analytical procedures are a useful tool and come up a lot during the course of planning, completing and concluding the audit. Analytical procedures may help the auditor identify unusual characteristics within the financial statements and may highlight matters that will have an impact on the current year’s audit. For example, if management charges have been included as an administrative expense in the current year’s financial statements, but were not included last year then this should alert the auditor (at the planning stage) to inquire of management and maybe inspect the underlying documentation relating to the management charge to make a conclusion on its appropriateness.

Observation and inspection may corroborate the assertions made by management. For example the management might inform the auditor that they have a procedure for authorising purchase invoices. Inspection of a random sample of purchase invoices to corroborate this assertion may be appropriate. The devising of such a test should be designed at the planning stage of the audit once the risk assessment has been undertaken.

Inspection of documents will help gather appropriate audit evidence. For example if the client has a large provision for redundancy costs shown in wages (the increase in wages may have been picked up during the analytical review), then inspection of board minutes approving the redundancies, obtaining copies of redundancy notices, inspection of payroll records to ensure the redundancy costs have been correctly processed via the payroll and inspection of the employee’s contract of employment to ensure correct calculation of redundancy should all be planned at the planning stage of the audit if considered material.

The depth of understanding should therefore be sufficient enough to gather an understanding of the risks that may result in the financial statements being materially misstated.

Discussion

ISA 315 also states that the audit team assigned to the audit client must have a meeting to discuss the audit. Such a discussion aims to help all the audit team gauge a better understanding of the audit client. So what should the discussion be about? Here are the key issues that may be addressed:

  • the environment in which the client operates;
  • what the client does;
  • key customers/suppliers;
  • the susceptibility of the client to fraud (see ISA 240);
  • the internal controls of the client;
  • the susceptibility of material misstatement within the financial statements; and
  • the overall audit strategy.

The discussion should therefore be an opportunity for all members of the audit team (audit partner, audit senior/manager, audit juniors) to share knowledge of the client and to understand how the audit will be approached. It is vital that all members of the team understand the client and the environment it operates within – even those at junior level.

The clients control environment

ISA 315 states that the client’s internal control environment should consist of the following:

  • the industry, regulatory or other external factors;
  • nature of the entity including its selected accounting policies;
  • the overall objective and the general risks the business faces which may result in material misstatement of the financial statements;
  • measurement and review of the entity’s financial performance; and
  • its internal controls

‘The industry’ concerns issues such as the economic climate. For example, for a client in the construction industry, the auditor should understand the current state of the construction industry and how this may impact on the financial statements.

Regulatory factors are the laws and regulations the audit client is obliged to abide to. ISA 250 ‘Consideration of laws and regulations in an audit of financial statements’ gives more detail.

Other external factors could be issues such as competitors, relationships with customers and suppliers, technical obsolescence of plant and machinery/products manufactured and key employees.

Understanding the nature of the entity might seem an obvious prerequisite. However, what might seem obvious to, say, the audit partner might not seem so obvious to a junior member of the team. All audit staff, regardless of seniority; need to understand the client they are auditing. A ‘basic’ understanding of the audit client may not be sufficient enough to understand the classes of transactions, account balances and disclosures that are required to be made in the financial statements. Related party issues may be incorrect/undisclosed by failing to have the required understanding. The planning stage is the opportunity to demonstrate, discuss and document this understanding.

Internal controls

ISA 315 splits internal controls into five individual components:

  • the control environment;
  • the entity’s risk assessment process;
  • the information system;
  • the control activities; and
  • the monitoring of controls

The ways in which internal controls are designed may well fluctuate between audits. For example, an owner-managed £6 million turnover DIY company may have relatively simple internal controls and processes, whereas a large multi-million turnover company may have far more complex internal controls.

The fact that the internal controls may be relatively simple and straightforward in a smaller entity audit does not, in itself, constitute a weakness. If the internal controls prove to be ineffective, for example, through management override, then this will become a significant audit issue which will need to be addressed further. The planning stage is the stage when the auditor needs to consider such issues.

The auditor should use judgement (by reference to ISA 315) to consider whether the control(s), individually or in aggregate, is relevant to the auditor’s considerations in (a) assessing the risk of material misstatement and (b) designing and performing audit procedures in response the risks.

Therefore, obtaining an understanding of the internal controls means looking at a control in isolation and determining whether it is (in)effective and whether it has been operated. At the planning stage, therefore, the auditor needs to take the internal control environment into consideration in order for them to conclude whether or not they are considered effective, and what effect they have on the financial statements.

A material weakness in internal control(s) is one that could have a material effect on the financial statements.

Documentation

Documentation is a key feature of audit insomuch that (unsurprisingly) it has its own ISA! ISA 230 ‘Documentation’.

The auditor should document all the discussions held amongst the engagement team which should have reference to issues that may result in material misstatements caused by fraud and/or error and the decisions reached in respect of those issues.

In addition, the auditor is required to document:

  • key elements of the understanding obtained relating to the entity and the environment in which it operates, including each of the internal controls in order to assess the risk of material misstatements;
  • risk assessment procedures;
  • the identified and assessed risks of material misstatement both at the assertion and financial statement level; and
  • risks identified and the related controls.

The ISA does not include a set format as to how these should be documented, though commonly legible freeform notes will suffice.

As a summary

ISA 315 is an extremely detailed standard and, rightly or wrongly, is one that monitoring visits are attracted to. The planning stage is the auditor’s opportunity to ensure the audit is effective and efficient. The best way to do this is to have a ‘risk-based’ audit.

  • Thoroughly document your understanding of the client, the processes, controls and accounting policies.
  • Perform a risk assessment (business and financial) and identify those risks that may result in the financial statements being materially misstated and show how that risk was reduced to an acceptable level. ISA 330 ‘Risk’ considers this area in more detail.
  • Document discussions held with the audit client and the discussions amongst the engagement team.
  • Document the overall audit strategy i.e. the nature and extent of audit procedures.
  • Do not rely wholly on the audit programme – this is the main reason audits overrun on cost. Tailor the audit programme to the nature of the audit client. This will minimise ‘over auditing’ and save time where tests on the audit programme are not applicable/material to the audit client.
  • Have the audit partner review and approve the audit programme.
  • Document the client’s laws and regulations central to them and show that you have considered the effect of non-compliance. For example if a client in the chemical industry breaches health and safety, what would be the impact? Would it have going concern issues? Consider also money laundering regulations – jail sentence for the directors – would that have an impact on going concern? Show (and document) that you have considered these areas.
  • Document your understanding of the client’s controls including an assessment of the accounting system and its effectiveness.
  • Show the results of any analytical review and any identified risks resulting from the analytical review.
  • Cross reference material issues/risks identified at the planning stage to the detailed audit work undertaken in the file.

Conclusion

This article aims to highlight the main areas of ISA 315. The standard itself is very detailed and therefore this article cannot, for obvious reasons, go into a large amount of technical detail. The results of effective planning and detailed audit will be two-fold. Firstly the monitoring visit should go well in this area and secondly effective planning will mean an efficient audit (thus a reduction in costs!!)

The planning process is hugely significant in terms of the audit and must be given sufficient time as the planning will ultimately influence the detailed audit work to be undertaken.

A risk-based audit will ensure that key areas of the audit are given the required amount of attention and ensure that low-risk items are not ‘over-audited’ – for example by eliminating those tests that are not deemed necessary on the audit programme (tailoring).

A copy of ISA 315 can be obtained from the FRC website here.

Steve Collings is audit manager Leavitt Walmsley Associates.

Tags:

Replies (2)

Please login or register to join the discussion.

avatar
By stejohn1974
10th Jun 2008 17:12

Hi "Audit"
Thanks for the feedback - your comments are appreciated. The problem smaller firms face with audit are the demands that the ISA's place on the auditor together with the ambiguity of some of the mainstream standards. The planning part of the audit seems to be the bone of contention as firms often struggle with the standard in this area (ISA 315).

When the new regime came into play practitioners were not happy about the increased costs they faced - and this is still a significant issue for firms at the smaller end of the scale. I did do an article about practice note 26 which is here:

https://www.accountingweb.co.uk/cgi-bin/item.cgi?id=182599&d=1025&h=1022&f=1026&dateformat=%25o%20%25B%20%25Y

This addressed the issue of documentation for the smaller audit which might help you as the ASB are aware that there are still companies that voluntarily require an audit or go over the thresholds but are still "smaller entities".

The ASB have acknowledged that the ISA's are ambiguous, and in some circumstances, unclear as to what they actually require auditors to do (this obviously doesn't help firms!!). The ASB are currently undertaking a revamp of the standards aimed at clarifying them but the clarified standards are not due to be effective until audits for accounting periods beginning on or after 15.12.09 - so how effective their clarity project actually is only time will tell. The audit thresholds have been increased in the wake of the new companies act 2006 (though only effective for A/Ps beginning on or after 6.4.08), but this will exempt more companies from requiring a statutory audit.

Best wishes
Steve

Thanks (0)
avatar
By User deleted
10th Jun 2008 16:53

Steve
a well-meaning useful and informative disection of ISA 315.
I will answer your query why firms have been "struggling" with it - because for the vast majority of audits it is way OTT.
The profession is screaming out for sensible audit standards that apply to owner SME's ie one's that practitioners who are quite able but are running businesses within the confines of an overly regulated profession can only work 25/8!
It is unlikely that the professional bodies are listening to the small practitioner network so Steve we will continue to "struggle"!!
Well done anyway - what about biting the bullet and posting something from the last years "small audit" standard
Ta!!

Thanks (0)