3.

Planning & Risk Assessment Page 20

Ch # 3 PLANNING AND RISK ASSESMENT

Planning an Audit (ISA 300)

Professional scepticism
An attitude that includes a questioning mind, being alert to conditions which may indicate possible
misstatement due to error or fraud, and a critical assessment of audit evidence.

In planning & performing audit, auditor should adopt an attitude of professional scepticism.

▪ Auditor should view what they are told with a sceptical attitude, and consider whether it appears
reasonable and whether it conflicts with any other evidence.
▪ Auditor should have a questioning attitude.
▪ They must not simply believe everything management tells them.

Benefits of planning

▪ Helps to devote appropriate attention to important areas of audit

▪ Helps identify and resolve potential problems on a timely basis.
▪ Helps auditor properly organize and manage the audit
▪ Helps in assignment of engagement team members & audit work.
▪ Facilitating direction, supervision and review of audit work.

Preliminary engagement activities

Auditor shall undertake the following activities at the beginning of current audit engagement:
▪ Procedures regarding continuance of client (ISA-220)
This will involve establishing whether the auditor:
- is competent to perform the engagement
- has the capabilities, including time and resources, to do so;
- can comply with relevant ethical requirements;
- has considered the integrity of client; and
- has considered significant matters arisen during the current or previous audit.
▪ Evaluate compliance with relevant ethical requirements, including independence (ISA 220)
- Auditor should remain compliant with ethical requirements during the audit
- Auditor should establish appropriate safeguards against non-compliance.
- Engagement partner will need to provide the firm with relevant information about the engagement
to enable the firm to evaluate independence requirements.
▪ Establishing an understanding of terms of engagement (ISA 210)

Involvement of key engagement team members

▪ Engagement partner and other key members of engagement team should be involved in planning the
audit
▪ There should be proper discussion among engagement team members to enhance the efficiency and
effectiveness of the planning process.
▪ In practice there is likely to be some planning meeting(s) between auditor and the client.
3. Planning & Risk Assessment Page 21

The overall audit strategy

Overall audit strategy sets the scope, timing and direction of the audit and guides the development of
the more detailed audit plan.

Establishing overall audit strategy assists auditor to determine:

▪ Resources to deploy for specific areas (e.g. experienced team members for risky areas)
▪ Amount of resources to allocate to specific audit areas (e.g. number of team members)
▪ Timing of deployment of these resources (e.g. whether interim audit stage or at year end)
▪ How these resources are managed, directed and supervised
(e.g., timing of team briefing meetings and manager and partner reviews of work)

The audit plan

After establishment of overall audit strategy auditor can develop the more detailed audit plan.

The plan sets out answers to three main questions (the ‘3Ws’):
▪ Who will perform the audit work? (Staffing)
▪ When will the work be done? (Timing)
▪ What work is to be done? (The scope of the audit)

The audit plan will set out:

▪ Procedures to be used in order to assess the risk of misstatement in the entity’s accounting
records/financial statements, and
▪ Planned further audit procedures for each material audit area to:
- Obtain sufficient appropriate audit evidence, and
- Reduce audit risk to an acceptably low level.

These procedures will be set out in a series of audit programmes.

(Set of instructions specifying procedures that should be performed in each area of audit)
3. Planning & Risk Assessment Page 22

Documentation

The auditor shall include in the audit documentation:

▪ The overall audit strategy;
▪ The audit plan; and
▪ Any significant changes made in above documents during the audit along with reasons.

Additional considerations in initial audit engagements

▪ Arrangements to be made with the predecessor auditor (e.g. to review his working papers);
▪ Any major issues discussed with management in connection with initial selection as auditor,
communication of these matters to TCWG and how these matters affect the overall audit strategy and
audit plan;
▪ Procedures to obtain sufficient appropriate audit evidence regarding opening balances;
▪ Other procedures required by firm's system of quality control for initial audit engagements
(e.g. involvement of another partner or senior individual to review planning activities)

Interim audit and final audit

Some key benefits from spreading the work across interim and final audit may be:
▪ More flexible resource planning within the firm
▪ Helps reduce demand for audit staff during ‘busy season’
▪ Earlier identification of significant matters
▪ Shareholders and other users receive audited accounts earlier
▪ Increased audit efficiency

“The higher the risk of material misstatement, the more likely it is that the auditor may decide it is more
effective to perform substantive procedures nearer to, or at, the period end rather than at an earlier date”.

Typical interim audit procedures include:

▪ Understanding the entity, assessing inherent risk (see ISA 315) and identifying significant matters
which will be reflected in the subsequent audit strategy and audit plan.
▪ Recording, evaluating the design and testing the entity’s system of internal control.
▪ Performing substantive testing to ensure the books and records are a sound basis for performing the
final audit.

Typical final audit procedures include:

▪ Substantive testing.
▪ Tests to ensure conclusions formed at interim audit remain valid
▪ Obtaining 3rd party confirmations such as bank letters and trade receivables confirmations
▪ Analytical review
▪ Subsequent events review
▪ Obtaining written representations
▪ ISA 330 specifically states that the following procedures can only be performed at or after the period
end:
- Agreeing the F/S to the accounting records;
- Examining adjustments made during the course of preparing F/S; and
- Procedures to respond to a risk that, at the period end, the entity may have entered into improper
sales contracts, or transactions may not have been finalized
3. Planning & Risk Assessment Page 23

Audit Risk (ISA 330)

Different approaches for Audit

Substantive Approach
▪ Every item in F/S is tested and vouched to supporting evidence
▪ Approach is still in use for small entities with few transactions
▪ This approach leads to over-auditing

System Approach
▪ Underlying accounting system is tested with less emphasis on testing individual transactions and
balances
▪ It may also lead to over-auditing as auditor would also be testing less risky areas

Risk Based Approach

▪ Auditor identifies risks at planning stage
▪ Prepare Audit strategy and audit plan to focus those risky areas
▪ Most firms now use a mixture of the audit risk approach and a systems-based approach.

The audit risk model

Audit Risk = Risk of Material Misstatement x Detection Risk
(Inherent Risk x Control Risk)
Audit Risk: Risk that auditor expresses an inappropriate audit opinion when F/S are materially misstated

Inherent Risk: Susceptibility of an assertion to a misstatement that could be material before consideration of
any related controls

Control Risk: Risk that misstatement that could occur in an assertion and that could be material will not be
prevented, or detected and corrected, on a timely basis by entity's internal control

Detection Risk: Risk that procedures performed by auditor to reduce audit risk to an acceptably low level will
not detect a misstatement that exists and that could be material
3. Planning & Risk Assessment Page 24

Inherent risk

Inherent risk may result from either the:

▪ Nature of the items themselves; or
(e.g. estimated items)
▪ Nature of the entity and the industry in which it operates.
(e.g. F/S of a company in construction industry are more likely to be misstated than items in F/S of
companies in a more low-risk environment, such as a manufacturer of food)

Control risk

▪ Auditor needs to make an assessment of control risk for different areas of the audit.
▪ Evidence about control risk can be obtained through ‘tests of control’.
▪ Tests of control may provide sufficient evidence to justify a reduction in the estimated control risk, for
the purpose of audit planning.

Detection risk

▪ Detection risk can be lowered by carrying out more tests in the audit.
▪ In preparing an audit plan, the auditor will usually:
- Set an overall level of audit risk which he judges to be acceptable for particular audit
- Assess the levels of inherent risk and control risk, and then
- Adjust the level of detection risk in order to achieve overall required level of audit risk.

Understanding the business (ISA 315)

Auditor’s Risk Assessment Process

Auditor’s risk assessment procedures include the following:

▪ Inquiries (i.e. asking questions and getting answers) of:
- Management;
- Appropriate individuals within internal audit function (if such a function exists); and
- Others who may have information that is likely to assist in identifying risks.
▪ Analytical procedures (study of ratios and trends to identify the existence of unusual transactions or
events or amounts, ratios or trends that might have implications for audit)
▪ Observation and inspection (e.g. inspecting internal control manuals or business plans).

Understanding the entity and its environment

This will involve considering such factors as:

▪ Relevant industry, regulatory and other external factors, including the AFRF.
▪ Nature of the entity, including its operations, ownership, management structures and types of current
and planned investments.
▪ Entity’s selection and application of accounting policies, including whether they are appropriate for its
business and consistent with the industry and the AFRF.
▪ Entity’s objectives and strategies and those related business risks that may result in risks of material
misstatement.
▪ The measurement and review of the entity’s financial performance.

Business risks are risks occurring as a result of significant conditions, events, circumstances or actions
that could affect an entity’s ability to reach its objectives and carry out its strategies.
3. Planning & Risk Assessment Page 25

Understanding the accounting and internal control systems

▪ If entity has an internal audit function then auditor shall obtain an understanding of the nature of
internal audit function’s responsibilities, its organizational status, and activities performed, or to be
performed.
▪ Auditor should try to reach a judgement about how strong (or weak) internal controls are, to make a
decision about amount of testing that should be carried out. He should consider:
- his previous knowledge of the client company
- any recent changes
- any known problems in the internal controls of the client
- the effect of any new auditing or accounting requirements.

Risk of Material Misstatement

Auditor is required to identify and assess the risks of material misstatement at both the financial
statement and assertion levels.

The financial statement level refers to risks which are pervasive to F/S as a whole and which potentially
affect many assertions (e.g. tendency of management to override internal controls)

The assertion level refers to specific objectives of the F/S

(e.g. risk that whether all the liabilities have been recorded and that recorded assets exist)

Risk assessment is an important aspect of planning an audit. Issues to consider are:

▪ Areas where risk of misstatement (error) appear to exist, and the nature of the risk
▪ When an error should be considered material, and when it may be ignored
▪ What aspects of the audit will be most difficult to plan because of high risk of misstatement.

The auditor should consider:

▪ Assessments of inherent risks and control risks, and identification of significant areas
▪ Setting materiality levels
▪ Possibility of material misstatements, including those arising because of fraud
▪ Identification of complex accounting areas, particularly accounting estimates.

High risk/material items will be audited in detail, but low risk/immaterial items will receive less attention

Responses to assessed risks

At the financial statement level (Tutor Note: these procedures can also be used in Fraud topic)

▪ Emphasising to the audit team the need to maintain an attitude of professional scepticism
▪ Assigning more experienced staff or increased supervision of staff
▪ The use of experts
▪ Incorporating elements of unpredictability in selection of further audit procedures.
▪ Changing the nature, timing and extent of audit procedures
(e.g. performing more substantive procedures at the final rather than at the interim audit)

At the assertion level

▪ Tests of controls; and/or

▪ Substantive procedures.
3. Planning & Risk Assessment Page 26

Materiality (ISA 320)

“Information is material if its omission or misstatement could influence the economic decisions of users taken
on the basis of the financial statements.”

Assessing what is or is not material is a matter of professional judgement. In this context auditors are
entitled to assume that users:
▪ Have reasonable knowledge of business and willing to study information in F/S diligently
▪ Understand that F/S are prepared, presented and audited to levels of materiality
▪ Recognise the uncertainties inherent in certain amounts in the F/S (e.g. provisions)
▪ Make reasonable economic decisions based on the information in the financial statements.

At the audit planning stage, risk and materiality are the two key factors which determine that ‘what audit
work is to be done?’

At the planning stage

▪ Auditor must determine materiality for the financial statements as a whole.

▪ A percentage is often applied to a chosen benchmark (e.g profit before tax, total revenue, gross profit
and total expenses, total equity or net asset value etc)
▪ If lower thresholds are required for some areas these must also be set at this stage.
▪ Auditor must also set performance materiality.
Performance Materiality is an amount or amounts set by auditor at less than materiality for the F/S
as a whole to reduce the probability that aggregate of uncorrected and undetected misstatements
may exceeds materiality for the F/S as a whole

As the audit progresses

Auditor must revise materiality (and, if appropriate, materiality for particular areas and performance
materiality) if he becomes aware of information not known to im at the time of setting materiality level(s)

Documentation must include details of all materiality levels set and any revision of these levels as the
audit progresses.

When considering whether misstatements in qualitative disclosures could be material, the auditor may
identify relevant factors such as:
▪ Circumstances of entity for the period (e.g. significant business combination during year)
▪ The AFRF, including changes therein (e.g. a new financial reporting standard)
▪ Qualitative disclosures important to the users of the F/S because of nature of the entity
(e.g. liquidity risk disclosures may be important to users of the F/S for a bank)

Determining materiality (a numerical overview)

STEP 01: Understand the ownership structure and users of the financial statements.
STEP 02: Determine the elements of the financial statements.
STEP 03: Identify the benchmark of most importance to users
STEP 04: Determine the appropriate percentage to apply to the selected benchmark
STEP 05: Determine performance materiality and clearly trivial threshold
3. Planning & Risk Assessment Page 27

Following guidelines may assist auditor to determine materiality. ISA 320 haven’t prescribed any
percentage but some of the following may be used as a best practice or rule of thumb

Benchmark Suitable to following entities Percentage

Profit Before Tax ▪ Listed entity with issued equity securities
▪ Dividend paying entity 5%
▪ Profit oriented entity
Revenue ▪ Not for profit entity
1% to 5%
▪ A company incurring losses
Cash flow from ▪ Where primary user is bank and focused on the ability of the 3% to 5%
operation entity to repay
Expenses ▪ Public sector entity 3% to 5%
▪ Not for profit entity
Net Assets ▪ Unitholders of Mutual funds Up to 3%
▪ Company with strategic investments having various
subsidiaries and associates
Total Assets ▪ Highly leveraged entity asses secured against financing Up to 1%

Fraud (ISA 240)

Fraud is an intentional act by one or more persons, involving the use of deception to gain an unjust or
illegal advantage.

▪ It is primarily the responsibility of management to establish systems and controls to prevent or detect
fraud (and errors)
▪ The objectives of the auditor are to identify and assess the risks of material misstatement and to
obtain sufficient appropriate evidence about those risks through audit procedures.
▪ Material misstatement in F/S may arise from error or fraud
▪ Auditor must respond appropriately to fraud or suspected fraud identified during audit.

Types of fraud relevant to F/S

Two types of fraud are identified by ISA 240:

1) Fraudulent financial reporting

▪ Manipulating, forging or altering accounting records or supporting documentation

▪ Misrepresentation or intentional omission from F/S of events or transactions.
▪ Intentional misapplication of accounting principles relating to areas of F/S

It often involves management override of controls using techniques as:

▪ Recording fictitious entries, particularly close to period end, to manipulate operating results or
achieve other objectives.
▪ Inappropriately adjusting assumptions and changing judgments.
▪ Omitting, advancing or delaying recognition of events and transactions in F/S.
▪ Concealing, or not disclosing, facts that could affect F/S.
▪ Engaging in complex transactions structured to misrepresent the financial position or financial
performance of entity.
▪ Altering records & terms of significant and unusual transactions.
3. Planning & Risk Assessment Page 28

2) Misappropriation of assets

Involves theft of entity's assets and is often perpetrated by employees & management. It can be
accomplished in a variety of ways including:
▪ Embezzling receipts.
▪ Stealing physical assets (e.g. inventory) or intellectual property (e.g. business secrets).
▪ Causing an entity to pay for goods and services not received (e.g. fake purchases).
▪ Using an entity's assets for personal use.
Misappropriation is often accompanied by false or misleading records or documents in order to conceal fraud.

Responsibility of management and those charged with governance (Tutor Note)

Management and those charged with governance (TCWG) are responsible for:
▪ Prevention and detection of fraud
▪ Preparation of the financial statements
▪ Design and implementation of effective internal controls
▪ Providing the auditor with:
- Access to information relevant to the preparation of the F/S
- Additional information relevant to the audit
- Unrestricted access to persons whom he needs access to in order to complete the audit
▪ Providing written representations to the auditor at the end of the audit

Auditors Procedures

General Procedures (Irrespective of risks of management override of controls)

▪ Test appropriateness of journal entries recorded in general ledger and other adjustments made in
preparation of F/S:
- Make inquiries of individuals (involved in reporting process) about inappropriate or unusual
activity relating to processing of journal entries and other adjustments;
- Select journal entries and other adjustments made at the end of a reporting period; and
- Consider need to test journal entries and other adjustments throughout the period.
▪ Review accounting estimates for biases and evaluate whether that bias represent a risk of material
misstatements due to fraud:
- Evaluate whether management’s judgements about accounting estimates indicate a possible bias. If
so, auditor shall re-evaluate accounting estimates taken as a whole;
- Perform a retrospective review of such estimates reflected in F/S of the prior year.
▪ For unusual or significant transactions outside normal course of business, auditor shall evaluate the
business rationale of transactions to assess whether they have been made to engage in fraudulent
financial reporting or to conceal misappropriation of assets.

Procedures to identify risk of material misstatement due to fraud

▪ Make inquiries of management in respect of
- Their assessment of risk of material fraud
- Their process in place to identify and respond to such risk
- Any specific risk identified or suspected
- Any communication in entity in respect of fraud
▪ Make inquiries of management and others within entity as to whether they have any knowledge of
any actual, suspected or alleged frauds
▪ Make inquires of internal audit.
▪ Evaluate any unusual relationships identified in performing analytical procedures
▪ Evaluate information from other risk assessment procedures
3. Planning & Risk Assessment Page 29

Fraud risk factors

Incentive or pressure:
May exist when management is under pressure, from sources outside or inside entity, to achieve an
expected (and perhaps unrealistic) earnings target or financial outcome.
Perceived opportunity
May exist when an individual believes internal control can be overridden due to his position or has
knowledge of deficiencies in internal control.
Attitudes / Rationalization
Some individuals possess an attitude, character or set of ethical values that allow them knowingly and
intentionally to commit a dishonest act.

Examples of Fraud risk factors relating to misstatements arising from 2 types of frauds
Fraudulent Financial Reporting Misappropriation of Assets
Incentives / ▪ Financial stability or profitability of ▪ Personal financial obligations
Pressures entity is threatened ▪ Adverse relationship between
▪ Pressure on management to meet the the entity and employees with
expectation of third parties access to cash or other assets
▪ Personal financial situation of susceptible to the theft.
management threatened by entity’s
financial performance
▪ Excessive pressure on management or
operating personnel to meet financial
targets.
Opportunities ▪ Significant related party transaction ▪ Large amount of cash in hand or
▪ Assets/ liabilities ,revenue, expenditures processed
based on significant estimates ▪ Inventory items that are small
▪ Domination of management by single in size and high in value or are
person or group in high demand
▪ Complex or unstable organizational ▪ Easily convertible assets e.g.
structure diamonds, bearer bonds and
▪ Internal control components are gold
deficient. ▪ Inadequate internal controls
over assets.
Attitudes / ▪ Ineffective communication or ▪ Overriding existing controls
Rationalizations enforcement of entity’s values or ethical ▪ Failing to correct known
standards by management internal control deficiencies
▪ Known history of violation of security ▪ Behavior indicating displeasure
laws or other laws or dissatisfaction with entity
▪ A practice by management of ▪ Changes in behavior or lifestyle.
committing to aggressive or unrealistic
forces
▪ Low morale among senior management.
Note: Only selected examples have been given in the table for much abridged understanding/retention only
3. Planning & Risk Assessment Page 30

Examples of circumstances that indicate the possibility of fraud

Discrepancies in the accounting records, including:

▪ Transactions not recorded in a complete or timely manner or are improperly recorded.
▪ Unsupported or unauthorized balances or transactions.
▪ Last-minute adjustments that significantly affect financial results.
▪ Evidence of unauthorized employees’ access to systems and records.
▪ Tips or complaints to the auditor about alleged fraud.

Conflicting or missing evidence, including:

▪ Missing documents.
▪ Documents that appear to have been altered.
▪ Significant unexplained items on reconciliations.
▪ Unusual balance sheet changes or changes in trends or important F/S ratios etc
▪ Inconsistent, vague, or implausible responses from management or employees.
▪ Unusual discrepancies between the entity's records and confirmation replies.
▪ Large numbers of credit entries and other adjustments made to accounts receivable.
▪ Unexplained or inadequately explained differences between
- Accounts receivable sub-ledger and control account, or
- Customer statements and accounts receivable sub-ledger.
▪ Missing or non-existent cancelled cheques.
▪ Missing inventory or physical assets of significant magnitude.
▪ Missing electronic evidence, inconsistent with entity’s record retention policies.
▪ Fewer or greater responses to confirmations than anticipated.
▪ Inability to produce evidence of key systems development and program change testing and
implementation activities for current-year system changes and deployments.

Problematic or unusual relationships between auditor and management, including:

▪ Denial of access to records, facilities, certain employees, customers, vendors, or others etc.
▪ Undue time pressures imposed by management to resolve complex or contentious issues.
▪ Complaints by management about conduct of audit
▪ Management intimidation of engagement team members.
▪ Unusual delays by the entity in providing requested information.
▪ Unwillingness to facilitate auditor access to key electronic files for testing through CAAT.
▪ An unwillingness to add or revise disclosures in F/S to make them more understandable.
▪ An unwillingness to address identified deficiencies in internal control on a timely basis.

Other:
▪ Unwillingness by management to permit auditor to meet privately with TCWG.
▪ Accounting policies that appear to be at variance with industry norms.
▪ Frequent changes in accounting estimates without reasonable justification
▪ Tolerance of violations of the entity’s code of conduct.

Communications to Management and TCWG

▪ If auditor has obtained evidence that fraud exists or may exist, he should communicate with
appropriate level of management (at least one level above the person suspected)
▪ Sometimes it is also appropriate for the auditor to communicate with TCWG regarding an actual or
suspected fraud. (e.g. where management is involved in the fraud)
▪ If (in exceptional circumstances) auditor has doubts about the integrity or honesty of management or
TCWG, he may consider it appropriate to obtain legal advice to determine appropriate course of action.
▪ Auditor should also consider whether there is a duty to report to authorities.
3. Planning & Risk Assessment Page 31

Not-for-Profit Organisations (NFPO)

The main points to bear in mind with the audit of an NFPO are summarised below.

Area Comments
Planning Consider:
▪ Objectives and scope of the audit work
▪ Any local regulations that apply
▪ Environment in which the organisation operates
▪ Form and content of the final F/S and the audit opinion
▪ Key audit areas, including risk.
Internal ▪ Controls over cash collection and cash payments
control (because large amounts may be collected from public by volunteers)
▪ Segregation of duties (may be difficult in a small NFPO with few employees)
▪ Authorisation of spending
▪ Cash controls
▪ Controls over income (donations, cash collections, membership fees, grants)
▪ Use of funds only for authorised purposes.
Audit ▪ A substantive testing approach (rather than systems based approach) is likely to be
evidence necessary in a small NFPO (because of weaknesses in internal controls).
▪ Key areas may include:
- Completeness of recording transactions, assets and liabilities
- Possibility of misuse of funds.
▪ Analytical procedures may be used to ‘make sense’ of the reported figures.
▪ There should be a review of final F/S, appropriateness of accounting policies
Reporting ▪ Standard external audit report may be applicable
(If a report on an NFPO is required by law)
▪ Report suggested by ISA 700 may be used
(If the audit is performed on a voluntary basis)

Other factors to consider

▪ Cash may be significant in small NFPOs and controls are likely to be limited.
▪ Income could be a risk area, particularly where money is donated or raised informally.
▪ There may be a limitation on the scope of the audit if obtaining audit evidence is a problem.
▪ There may be a lack of predictable income or identifiable relationship between expenditure and
income which could make analytical review less appropriate.
▪ Restricted funds may exist where the organisation is only allowed to use certain funds for specific
purposes.
▪ There may be sensitivity to key statistics such as the proportion of revenue used in administration
(particularly for a charity)