Chapter 3

Client Acceptance and

Planning the Audit

Ch 3-Part II - Assessing the Risk of

Material Misstatement
Learning Objectives
3.2.1 Define risk assessment and its purpose
3.2.2 Distinguish the different types of risk
assessment procedures
3.2.3 Understand important auditor considerations
related to the risk of material misstatement due
to fraud
3.2.4 Define significant risk, describe the auditor’s
responsibility to identify significant risks
3.2.5 Describe the audit risk model and its
components
3.2.6 Assess acceptable audit risk
3.2.7 Consider the impact of several factors on the
assessment of inherent risk
KC Audit I
 Figure 3.1 Planning an Audit and Designing an
Audit Approach (The Planning process)

(Planning
process 1-4)
focusing on
Materiality is
discussed in
3.1 (previous
part)

(Planning
process 5-8,
focusing on risk
assessment )
will be
discussed in
3.2 (this part)
KC Audit I
Risk Assessment

• Risk assessment - is the identification and

evaluation of several aspects of an entity
whereby risks are identified and evaluated for use
in guiding the audit procedures that will be
necessary in order to substantiate the amounts
reported in the financial statements.

o The Quantitative aspect attempts to quantify risk

by assigning numerical values (eg 5%,10%..)

o The Qualitative aspect makes a judgment about

KC Audit I
risk as high, medium, low.
..Risk Assessment
Purpose of Risk Assessment
• At all stages of the audit, including during risk
assessment, the auditor must bear in mind what
the overall objectives are.
In order to obtain assurance- about whether the
financial statements are free from material
misstatement, the auditor needs to consider how
and where misstatements are most likely to arise.
– By assessing risk of material misstatement:
 the auditor identifies areas of FSs
susceptible to material misstatement and
 design and perform further audit
procedures.
KC Audit I
…. Risk Assessment

Risk assessment helps the auditor:

– to ensure the key areas more susceptible to
material misstatement are adequately
investigated and tested during the audit.
– to identify low risk areas where reduced testing
may be appropriate, and to ensure time is not
wasted by over-testing these areas.
Once the auditor has identified the audit risks,
procedures can be put in place in response to that
risk.

KC Audit I
..Risk Assessment
Why is Risk Assessment so Important to
an Audit?
• Risk assessment is an essential task, particularly if
the auditor desire efficiency and effectiveness for
the audit.
• When properly performed, Risk assessment, tells
the auditor:
– 1.which audit procedures are necessary to do,
and
– 2.which audit procedures can be omitted.
• In general, risk assessment is a means by which
maximum
KC Audit I result is attained with minimal effort.
 ..Risk Assessment----
• ISA 315 requires auditor to identify and assesses
the risk of material misstatement, whether due to
fraud or error, at both the financial statement
and assertion level
The risk of material misstatement exists at
two levels:
a. Overall financial statement level
b. Assertion level
Auditing standards require the auditor to assess
the risk of material misstatement at each of
these levels and to plan the audit in response to
those assessed risks.
• .
KC Audit I
 ..Risk Assessment
a. Risk of Material Misstatement at the
Overall Financial Statement Level

– Risk at this level refers to risks that relate

pervasively to the financial statements as a
whole and potentially affect a number of
different transactions and accounts.

– It is important for the auditor to consider risks

at the overall financial statement level,
given those risks may increase the likelihood
of risks of material misstatement across a
KC Audit I
number of accounts and assertions for
those accounts.
… Risk Assessment
Factors that may increase the risks of
material misstatement at the overall
financial statement level include:
– Deficiencies in management’s integrity or
competence
– Ineffective oversight by the board of
directors, or
– Inadequate accounting systems and records
– Declining economic conditions or significant
changes in the industry may also increase the
risk of material misstatement at this level

KC Audit I  These factors increase the likelihood that

material misstatements may be present in a
 the assertion Level

• Assertions /Management assertions/ are

implied or expressed representations by
management about:
– classes of transactions (transaction
related assertions)
– the related accounts and (balance related
assertions)
– disclosures in the financial statements.
(disclosure related assertions)

KC Audit I
 ..Risk of Material Misstatement at the
assertion Level
In most cases assertions are implied. The three
categories of assertions are:

– transaction related assertions ( Occurrence,

Completeness, Accuracy, Classification,
Cutoff).

– balance related assertions (Existence,

Completeness, Valuation and allocation,
Rights and obligations)

KC Audit I – disclosure related assertions (Occurrence

and rights and obligations, Occurrence,
Risk of Material Misstatement at the
assertion Level

After the relevant assertions have been

identified, the auditor can then develop audit
objectives for each category of
assertions.
• The auditor’s audit objectives follow and are
closely related to management assertions,
because the auditor’s primary responsibility is
to determine whether management
assertions about financial statements are
justified.
KC Audit I
… Risk Assessment
…Riskof Material Misstatement at the
assertion Level

Developing audit objectives for classes of

transactions, account balances, and
presentation and disclosure helps the
auditor to:
- design audit procedures to accumulate
sufficient appropriate evidence about each
aspect of the assertions.
For example,
 developing an audit objective specific to
KC Audit I
Risk of Material Misstatement at the
assertion Level
Developing an audit objective for the
classification of transactions helps the auditor
to :
-design and perform audit procedures to
obtain evidence about whether the transactions
are recorded in the appropriate accounts.
Auditing standards- require the auditor :
• to assess the risk of material misstatement
at the assertion level for-
• classes of transactions,
• account balances, and presentation and
disclosure
KC Audit I
assertion Level
Risk of Material Misstatement at the assertion
Level
– Nature-the type of audit procedure applied
(physical count, confirmation..)
– Time-When to apply the audit procedures (at
the end of the year, during the audit, ….)
– Extent-How much sample to take?
• Auditors develop audit objectives for each of the
assertions and perform audit procedures to obtain
persuasive audit evidence that each of those
audit objectives is achieved.
• As a result, auditors typically assess the risk that
audit objectives related to assertions for
KC Audit I

classes of transactions, account balances,

…… Risk Assessment
…Riskof Material Misstatement at the
assertion Level
The risk of material misstatement- at the
assertion level consists of two components:
inherent risk and control risk.

– Inherent risk- represents the auditor’s

assessment of the susceptibility of an
assertion to material misstatement, before
considering the effectiveness of the client’s
internal controls.
 For example, inherent risk may be higher for
KC Audit I
accounts whose valuations are dependent on
complex calculations or accounting estimates
…Risk of Material Misstatement at the
assertion Level
Control risk -represents the auditor’s assessment
of the risk that a material misstatement could
occur in an assertion and not be prevented or
detected on a timely basis by the client’s
internal controls.

– For example, -control risk may be higher if the

client’s internal control procedures fail to
include independent review and
verification by other client personnel of
complex calculations used or significant
estimates developed to determine the valuation
of an account balance recorded in the client’s
KC Audit I financial statements.
..Risk Assessment
The Risk Assessment Process
• The risk assessment process includes:
– Understanding and evaluating the entity and its
environment
– Understanding and evaluating the risks of fraud
at the entity
– Understanding and evaluating the internal
control processes and procedures at the entity
– Performing an overall evaluation of all
information gathered and risks assessed
– Design audit procedures to respond to the
overall risk of material misstatement and any
KC Audit I
other significant risks
Procedures

KC Audit I
.. Planning and Risk Assessment Procedures
i. Engagement Team Discussion
• The engagement team must discuss the areas in
which the FSs of the entity may be susceptible to
material misstatement whether due to fraud or
error [ISA315.A14].
• The audit team members, including the auditor
with final responsibility for the audit will have a
"brainstorming" session to exchange ideas mainly
about:
– how and where they believe the entity's FSs
might be affected by material misstatement due
to fraud,
– how management could do wrong and conceal
KC Audit I
fraudulent financial reporting, and
.. Planning and Risk Assessment Procedures
…Engagement Team Discussion
• The discussion includes:
– About the two main types of fraud
1. Fraudulent Financial reporting: is an
intentional misstatement or omission of amounts or
disclosures with the intent to deceive/mislead users.
– Deliberate overstatement/understatement of asset,
revenue, expense, liability. Eg use of practices such as
Earnings management, income smoothing-
 Earnings management ( deliberate actions taken by
management to meet earnings objectives)
 Income smoothing- (a form of earnings management in
which revenues and expenses are shifted between
periods to reduce fluctuations in earnings)

2. Misappropriation of assets- is fraud that

KC Audit I
 Procedures
…Engagement Team Discussion
…The discussion includes:
– About the Three conditions for fraud:

KC Audit I
Procedures
…Engagement Team
Discussion
Three conditions for fraud arising from fraudulent
financial reporting and misappropriations of assets
are referred to as the fraud triangle:

– Incentives/Pressures- Management or other

employees have incentives or pressures to
commit fraud (Employees with excessive
financial obligations, or those with drug abuse
or gambling problems, may steal to meet their
personal needs/ to fund extravagant lifestyle).

KC Audit I
 …Engagement Team Discussion

– Opportunities- Circumstances provide

opportunities for management or employees to
commit fraud (absence of control, position or
power)

– Attitudes/Rationalization- An attitude,
character, or set of ethical values exists that
allows management or employees to commit a
dishonest act, or they are in an environment
that imposes sufficient pressure that causes
them to rationalize committing a dishonest act.
KC Audit I
.. Engagement Team Discussion
…The discussion includes:
– A consideration of the known external and
internal factors affecting the entity that might
– Create incentives/pressures for management
and other (employees, directors..) to commit
fraud,
– Provide the opportunity for fraud to be
committed, and
– Indicate a culture or environment that enables
management to rationalize committing fraud.
 The discussion should occur with an attitude
that includes a questioning mind.
 And, for this purpose, it is essential to set aside
any
KC Audit I prior beliefs the audit team members may
 .. Engagement Team Discussion

– Finally, the discussion should include:

 how the auditor might respond to the
susceptibility of the entity's financial
statements to material misstatement due to
fraud.
 Responding to these risks properly is critical
to achieving a high-quality audit
 An emphasis should be placed on the
importance of maintaining the proper state of
mind throughout the audit regarding the
KC Audit I potential for material misstatement due to
fraud.
 ii Determine Materiality

– Determine the amounts that will be

considered material in relation to the financial
statements.
– It is better to use industry standards to
perform the calculation of materiality.

KC Audit I
 iii. Risk Assessment Procedures

KC Audit I
….Risk Assessment Procedures
• Types of risk assessment procedures include:
– Inquiries of management and others
within the entity and those charged with
governance.
– Observation
– Inspection
– Analytical procedures
•Risk assessment procedures -are
performed to confirm truthfulness of
information obtained during the risk
assessment process
KC Audit I
….Risk Assessment Procedures
Analytical procedures
• Preliminary analytical procedures:
– analytical procedures must be performed
while planning the audit with an objective of
identifying the existence of unusual
transactions or events, and amounts,
ratios, and trends that might indicate matters
that have financial statement and audit
planning implications.
- Analytical procedures related to revenue:
– the auditor also should perform analytical
procedures relating to revenue with the
KC Audit I objective of identifying unusual or unexpected

relationships involving revenue accounts that

….Risk Assessment Procedures

Identifying the Risk of Material

Misstatement Due to Fraud
– Make inquiries of management and others
within the entity to obtain their views about the
risks of fraud and how they are addressed.
– Consider any unusual or unexpected
relationships that have been identified in
performing analytical procedures in planning
the audit.
– Consider whether one or more fraud risk factors
exist.
– Consider other information that may be helpful
in the identification of risks of material
misstatement due to fraud.
KC Audit I
 Risk Assessment Procedures

.. Identifying the Risk of Material

Misstatement Due to Fraud
The auditor should inquire of management about
– Whether management has knowledge of any
fraud or suspected fraud affecting the entity
– Whether management is aware of allegation
of fraud or suspected fraud affecting the
entity, for example, received in
communications from employees, former
employees, analysts, regulators, or others
– Management's understanding about the risks
of fraud in the entity, including any specific
KC Audit I fraud risks the entity has identified or
account balances or classes of transactions
.. Risk Assessment Procedures
…Identifying the Risk of Material Misstatement
Due to Fraud
…The auditor should inquire of management about:
– Programs and controls the entity has established
to mitigate specific fraud risks the entity has
identified, to prevent, deter, and detect fraud,
and how management monitors those programs
and controls
– For an entity with multiple locations,
 the nature and extent of monitoring of
operating locations or business segments, and
 whether there are particular operating
locations or business segments for which a
KC Audit I
risk of fraud may be more likely to exist
.. Risk Assessment Procedures

Considering Fraud Risk Factors

• Because fraud is usually concealed, material
misstatements due to fraud are difficult to detect.
• •The auditor may identify events or conditions
that:
– 1.indicate incentives/pressures to perpetrate
fraud
– 2.opportunities to carry out the fraud, or:
– 3.attitudes/rationalizations to justify a
fraudulent action.

KC Audit I
 v. Understand the Entity and Its
Environment
• Usually, auditors ask the following questions to
gain understanding about the entity:

– How is the company’s performance as

compared with others in the industry?
– Are there any new competitive pressures or
opportunities?
– Have key vendor relationships changed?
– Can the entity obtain necessary knowledge of
products?
– How strong is the entity’s cash flow?
– Has the entity met its debt obligations?
– Who are your key personnel and why are they
KC Audit I
important?
..Understanding Internal Control
– Auditors are required to gain an
understanding of the entity’s policies and
procedures to determine if:
 a control system is in place and
 controls are properly designed and
implemented.
– Auditors are required to perform inquiry,
observation, and inspection to determine if
controls have been properly implemented
– Evaluate the design and implementation of
controls
 Related to significant risks
 Related to risks that cannot be tested
KC Audit I
effectively using substantive procedures
 Performing Walkthroughs/testing by
making or practicing
– Walkthroughs can be a very effective way
of determining whether controls have
been properly designed and
implemented.
– Procedures of a walkthrough include:
 Select one or a few transactions
 Trace from initial creation of the source
document to final posting in the general
ledger
 Inspect documents and records used in
processing, make inquiries, and observe
KC Audit I
procedures being performed
 …….Performing Walkthroughs

• During the walkthrough, the auditor will

document the following:
– Understanding of internal control
components
– Sources of information
– Procedures performed
– Controls evaluated related to significant
risks and risks for which substantive
procedures alone are not effective
– Processing of transactions for each
significant transaction class
KC Audit I
– The process of closing the accounts and
preparation of report.
 Accounting Estimates

Auditors perform review of Accounting

Estimates to evaluate:
– Effectiveness of management’s estimation
process
– Information relevant to current year
estimates
– The need for disclosure
– The existence of possible management
bias

KC Audit I
 Identifying Significant Risks/Audit
Areas

Significant Risk
• A significant risk represents an identified and
assessed risk of material misstatement (RMM) of
the FSs or disclosures that, in the auditor’s
professional judgment, requires special audit
consideration.
– Significant risks are likely to be included in
public company audit reports as critical audit
matters
• Significant risks often relate to:
– Non-routine transactions-transaction that is
KC Audit I
unusual, either due to size or nature, and
Areas
• When auditors identify significant risks/audit
areas, (areas that present possibility of material
misstatement of the FSs or disclosures) they
consider the fallowing factors and apply
professional judgment and are required to be
skeptic in the process:
Auditors Consider the following factors in
identifying significant risk :
– Volume of activity
– Size and composition of accounts
– Types of transactions
– Presence of fraud risks or other significant risks
– Changes from the prior period
KC Audit I
professional skepticism in applying Risk
assessment procedures
• Auditors assess Risk of Material Misstatement
(RMM) by assessing each risk that contributes to
Audit risk.
• Remember, Audit Risk=RMM x Detection Risk
• =RMM has two
components, IR & CR
a. Assessment of Inherent Risk:
– The auditors must use their professional
judgment and all available knowledge to
assess inherent risk.
– If no such information or knowledge is
available then the inherent risk is high.
KC Audit I
professional skepticism in applying Risk
assessment procedures
• The assessment of inherent risk is important
because it is auditors’ attempt to predict
where misstatements are most and least
likely in the financial statement segments
• This assessment affects:
– the amount of evidence that the auditor
needs to accumulate,
– the assignment of staff, and
– the review of audit documentation
Auditors begin their assessments of inherent
risk during the planning phase and update
the assessments throughout the audit
KC Audit I
..Use of professional judgment & professional
skepticism in applying Risk assessment procedures

• …Assessment of Inherent Risk:

The following factors help the auditor to assess

Inherent Risk
-Auditor's knowledge of its clients
-Auditor’s knowledge of its client's operating
environment
-Auditor’s knowledge of each auditable area

KC Audit I
b. Assessment of Control Risk

Similar to the case of inherent risk, auditors

must use their professional judgment and all
available knowledge.

Factors Affecting Control Risk

• Quality of management and staff
• Quality of internal control system
• Level of supervision
• Level and quality of internal audit coverage in
an organization

KC Audit I
 Factors that help to assess Control Risk

- Assessing the behavior of management &

staff, their attitude towards control, the internal
control system and the level of internal audit
service
- Information about time elapsed since last audit.
- In general, assessment of inherent risk and
control risk (misstatement) requires the
audit team to have a good knowledge of how
the client’s activities, control systems,
affect financial statements.
KC Audit I
c. Assessment of Detection risk:
 For the Detection risk component of audit
risk, auditors have degree of control over. If
risk is too high to be tolerated, the auditors
can carry out more work to reduce this
aspect of audit risk and audit risk as a whole.

An auditor can reduce detection risk and

overall audit risk by:
– Adequate planning
– Assigning more experienced people to the
audit team
– The application of professional skepticism
– Applying wider range of audit procedures
KC Audit I – Increasing sample size
 …..How to address Detection Risk
– Setting appropriate materiality levels and also
testing levels help to address detection risk
Eg (1) The auditor assigns
-Inherent Risk (IR) as 100% (assume no control)
- Control Risk (CR) as100 % (assume poor internal
control system)
- Acceptable Audit risk (AAR) as 5% for inventory &
Warehousing Cycle. (the auditor wants to be 95%
sure that audit result for this cycle is correct)
What will be the Planned Detection Risk
(PDR)?
If AAR = IR x CR x PDR,
Planned Detection Risk(DR)= Audit Risk
KC Audit I
(AR)
 PDR= 0.05 = 0.05=5%
1X1
– Note: Both IR,CR are subjectively estimated
by the auditor on the basis of his/her
knowledge about various factors affecting
these risks

KC Audit I
Eg (2) The auditor assigns
- Acceptable Audit risk (AAR) as 5% , the auditor
wants to be 95% sure that opinion is correct
- Inherent Risk (IR) as 50% (based on assessing
various factors)
- Control Risk (CR) as 20 % (based on tests of
control)

Note:
What Assessing
will IR & CR as
be the Planned low increases
Detection Risk
(PDR)? Planned detection risk

– If the auditor assess higher IR and CR, it

means, greater level of the audit work is
required to lower the detection risk, so as to
achieve the desired level of audit risk
KC Audit I
Evidences

Inherent Risk
– The lower the assessed level of inherent risk,
the more the reliable evidence is needed for
the audit
Control Risk
– The lower the assessed level of control risk, the
more the extensive test of control is needed
than less tests of control
Detection Risk
– The lower the assessed level of detection risk,
the more the extensive substantive test is
needed than less substantive tests
– Higher degree of professional judgment is
KC Audit I
 The Auditor’s Responses to Assessed
Risks (ISA 330)

• Paragraph 6 of ISA 330 requires that: ‘The

auditor shall design and perform further
audit procedures whose nature, timing,
and extent are based on and are responsive
to the assessed risks of material
misstatement at the assertion level.’
• ISA 330 requires that auditors should carry
out tests of control and substantive
procedures

KC Audit I
 Tests of control

• -it is an audit procedure designed to evaluate

the operating effectiveness of controls in
preventing, or detecting and correcting,
material misstatements at the assertion
level.
• Tests of control usually include short, quick
tests which generate either a ‘yes’ or a ‘no’
answer, where ‘yes’ is favorable (confirming
the operation of an internal control), and ‘no’
is unfavorable (indicating that an internal
control is not operating satisfactorily).
KC Audit I
 Substantive procedures
• - are audit procedures designed to detect material
misstatements at the assertion level.
• Substantive procedures comprise
– 1. tests of details (of classes of transactions,
account balances and disclosures) and
– 2. analytical procedures.
• As the name suggests, substantive procedures are
more substantive and time consuming,
requiring more detailed audit work to be carried
out
 ISA 330 requires that the auditor shall
always carry out substantive procedures on
material items irrespective of the assessed
KC Audit Irisks of material misstatement, and that the

auditor shall design and perform substantive

.. Substantive procedures involves more work
than tests of control.

-Consider example of the purchases system for

a manufacturing company and the assertion of
existence for account balances in the
statement of financial position.

– Typical tests of detail would involve some

physical verification of year-end balances
outstanding, which would require obtaining
and reviewing the ending purchase ledger
account balances for a sample of purchase
ledger accounts with selected suppliers.
KC Audit I
 • Typically, this could include agreeing the
ending balance figure to the supplier’s
statement, or even possibly requesting third
party confirmation by the supplier of the
amount outstanding.

KC Audit I
• Cut-off testing - would also be typically carried
out on year-end purchase ledger balances,
which would involve obtaining a sample of pre-
and post - year-end goods received notes and
agreeing these to the matching pre- or post-
year-end purchase invoices, to ensure that
only goods received before the end of the
accounting period were included.

• This test would also help to confirm the

assertion of existence.

KC Audit I
Timing (when to apply audit procedures
(tests of control or substantive
procedures )
– ISA 330 indicates that the auditor may
perform tests of control or substantive
procedures:
 at an interim date or
 at the period end.
– If substantive testing is performed at an
interim date then additional substantive
procedures alone or combined with tests of
control are required for the intervening
period.
– This will provide a reasonable basis for
KC Audit I
 – The standard also indicates that, in general,
the extent of audit procedures increases
as the risk of material misstatement
increases.
– (More risk-more audit procedures; Less risk,
less audit procedures)
• When is it necessary to perform tests of
control?
– The auditor should perform tests of
controls if:
 There is a need to rely on the controls
to reduce the level of substantive
procedures conducted.
KC Audit I
 and Audit Plan
Finalizing the audit strategy and audit
plan involves the following:

Assessing Risks at FS level and Developing Responses

Develop the detailed audit plan

Assess risks at the relevant assertion level

Develop the overall audit strategy

Assess risks at the financial statement level

KC Audit I
 …Finalizing the Overall Audit Strategy and
Audit Plan)
• Develop the Overall Audit Strategy
– The overall audit strategy should include
identification and evaluation of the
following:
 Characteristics of the engagement that
define its scope
 Reporting objectives of the
engagement
 Important factors that determine audit
focus
 Resources needed to perform the
audit
KC Audit I
 ……Finalizing the Overall Audit Strategy
and Audit Plan

• Factors That Determine Audit Focus

– Materiality levels
– Overall risks and responses
– Preliminary identification of high risk audit
areas
– Preliminary identification of material
locations and accounts
– Whether the auditor plans to test and rely
on controls
– Composition and deployment of the audit
team
KC Audit I
……Finalizing the Overall Audit Strategy
and Audit Plan
• What is the Assertion Level?
– The “assertion level” is the level at which
statements are presented as completely true.
 For example, management tells the auditor the
financial statements show a true valuation
of inventory, - the inventory reported on FS
exists and can be checked–management are
formally “asserting” this statement as being
correct, so we call this at the “assertion level”.

Assessing Risks at the Relevant Assertion Level

• This involves auditors identification of risks of material
misstatement (due to error or fraud) for specific—
– Account balances
– Transaction classes
KC Audit I
– Disclosures
……Finalizing the Overall Audit Strategy
and Audit Plan
• …Assessing Risks at the Relevant Assertion
Level
– Identify risks for which substantive
procedures alone are not adequate
– Revise the risk assessment and reconsider
planned audit procedures if audit evidence
contradicts the original risk assessment
• Document the following:
– Risk assessment at the relevant assertion
level
– Basis for the assessment
– Significant risks
KC Audit I – Risks for which substantive procedures alone

are not adequate

 ……Finalizing the Overall Audit Strategy
and Audit Plan
• The Detailed Audit Plan
– It consists the nature, timing, and extent of
further audit procedures to respond to the
risk assessment (i.e., the audit program)
– It provides linkage between the risk
assessment and the responses at the
assertion level
Tailoring the audit program
If Low RMM -Primarily analytical procedure, then
-Some tests of details
If Low to Moderate -Analytical procedure
RMM •Tests of details needed to respond to
risk
If Moderate to High •Tests of details and extended analytics
RMM •For audit areas or assertions with
KC Audit I
higher risk
• Overall responses
• ISA 330 lists the following overall responses that
may be used by auditors in order to address the
assessed risks of material misstatement at the
financial statement level:
– Emphasizing to the audit team the need to
maintain professional skepticism.
– Assigning more experienced staff, those with
special skills, or using experts.
– Changes to the nature, timing and extent of
direction and supervision of members of the
engagement team and the review of the work
performed.
– Incorporating additional elements of
KC Audit I
unpredictability in the selection of further audit
 ……Finalizing the Overall Audit Strategy
and Audit Plan)
• The Input and Output
– The inputs in audit planning include all of
the above audit risk assessment
procedures.
– The outputs (sometimes called linkage) of
the audit risk assessment process are:
 Audit strategy
 Audit plan (audit programs)
• The auditor tailors the strategy and plan
according to the risk assessment

KC Audit I
 ……Finalizing the Overall Audit Strategy
and Audit Plan)
• Audit Strategy
• The audit strategy sets out in general terms:
– how the audit is to be conducted and
– sets the scope, timing and direction of the
audit.
– The staffing issue
The audit strategy then guides the development
of the audit plan, which contains the detailed
responses to the auditor’s risk assessment.
Audit strategy and plan can be prepared side by
side.

KC Audit I
 ……Finalizing the Overall Audit Strategy
and Audit Plan)
• Audit program
• An audit program is a collection of audit procedures for an audit
area or an entire audit (for a component of F/S or entire F/S), each
including sample size, item to choose and the timing of the
sample
• Preparation of an audit program is part of planning an audit.
• It shows the steps in the audit process that helps to achieve the
audit objectives, the work that has to be done
• It is prepared for each component of an audit (Audit program for
cash, for receivables, for inventory..,) to guide the auditor:
• What procedure to apply,
• When to apply the procedure,
• How to apply and so on
• It is used as a base to assign auditors and also follow up the work
KC Audit I

• It also reduces supervisor’s time spent on guiding new auditors

 ……Finalizing the Overall Audit Strategy
and Audit Plan)

• Audit Plan
• The audit plan is a detailed programme giving
instructions as to how each area of the audit
will be conducted.
• The audit plan details the specific procedures
to be carried out to implement the strategy
and complete the audit.

KC Audit I
……Finalizing the Overall Audit Strategy
and Audit Plan)
• ISA 300 provides guidance on what should be
included in the audit plan, stating that the audit
plan should describe:
– the nature, timing and extent of planned risk
assessment procedures
– the nature, timing and extent of planned
further audit procedures at the assertion level
– other planned audit procedures that are
required to be carried out so that the
engagement complies with ISAs.
Typically an audit plan will include sections
dealing with business understanding, risk
assessment procedures, planned audit
KC Audit I
procedures ie the responses to the risks
 ……Finalizing the Overall Audit Strategy and
Audit Plan

Role of Risk Assessment Procedures

KC Audit I
 End of Chapter 3: Part II

Questions

KC Audit I