Module 2 - Audit Planning

Risk-based Audit
- The risk-based audit approach is where audit resources are directed towards areas of the
financial statements that may contain misstatements as a consequence of the risks faced
by the business.
- Through this approach, auditors are able to assess the likelihood and the magnitude of
misstatements.
- They then decide upon the type and extent of audit procedures to be applied.
- This is also known as the top-down approach or business risk approach.

Pre-engagement procedures
- This is a set of procedures that are done before deciding whether to accept or reject an
audit engagement. To make this decision, the following are considered:
➔ Competence
● Determine whether the auditor(s) has the necessary skills and competence
to perform the engagement.
➔ Independence
● Consider if there are any threats to the audit teams independence and
objectivity and
● Whether safeguards can be established, if applicable.
➔ Ability to serve the client properly
● This is related to competence
● It mainly deals with resources needed to perform the engagement-- such
as:
➢ audit personnel and ➢ time.
➔ Integrity of the management
● Prospective client does not lack integrity
● Is not associated with anything that may have a bearing on the prospective
client’s integrity.
● To properly evaluate the integrity of the client, the auditor must:
➢ Make inquiries with appropriate parties in the business community,
such as financial institutions, lawyers, etc.
➢ Communicate with the predecessor auditor.
● However, communication may only be done with the
permission of the prospective client.
➢ For recurring audits:
❖ Clients should be evaluated:
■ at least once a year OR
■ upon occurrence of significant events such as:
● changes in management, directors, ownership,
nature of business
 ● other changes that, in the auditor’s professional
judgment, may affect the scope of the examination.

Engagement Letter
➔ Once the engagement has been accepted, an engagement letter should be
prepared.
➔ It serves as a written contract between the auditor and the client.
➔ Purpose:
● It helps prevent misunderstanding regarding the terms of the engagement
● It documents and confirms the auditor’s acceptance of the appointment.
➔ The principal contents of the letter are:
● The objective of the audit of the financial statements- which is to express
an opinion on the financial statements;
● The management’s responsibility for the fair presentation of financial
statements;
● The scope of the audit;
● The form of any other communication of results of the audit engagement;
● The fact that, due to inherent limitations of the audit, there is an unavoidable
risk that material misstatements may remain undetected;
● The responsibility of the client to allow the auditor to have unrestricted
access to whatever records, documentation, and other information
requested in connection with the audit;
● Other information may also be communicated in the letter, such as: ➢ The
basis of the fees and billing agreements;
➢ Expectation of receiving from management written confirmation
concerning representation made in connection with the audit ➢
Arrangements concerning the need for an expert (if any)
➢ Request for the client to confirm the terms of the engagement.

Audit Planning

- Why do we plan an audit?

➔ So that audit may be conducted in an effective manner. It involves developing a
general audit strategy and a detailed approach for the expected conduct of an
audit.

Effective vs Efficient
Effectiveness places emphasis on the output or whether you have achieved your
objectives. On the other hand, efficiency is focused on inputs and the process itself-
whether you were able to maximize the available resources on hand. Both are important
in audit, but being effective is its main objective.

Made by:
Cathlyn S. Linga
- Benefits of planning (CAFe PA):
➔ Coordination of work done by auditors and experts.
● Planning enables the auditors to get an overview of the scope of
the audit.
● Properly coordinating the work and deciding the areas where
experts may be needed.
➔ Proper assignment of team members and work allocation.
● This determines the number of team members that are required for
a particular engagement.
● It is important that members of the team have relevant training and
knowledge as to the particular industry of the firm they will be
auditing.
➔ Facilitates the direction and supervision of engagement team members and the
review of their work.
● It is important that work done by less experienced members is
reviewed by more experienced members.
● Reporting structure is planned beforehand and is a part of the
planning process.
➔ It helps in ensuring that the audit will be effective.
➔ Helps the auditor identify and resolve potential problems on a timely basis.
➔ Helps the auditor devote appropriate attention to important areas of the audit.

- How do we know the extent to which we should plan the audit?

➔ It will vary according to different factors which are summarized below:

- What are the outputs of audit planning?

➔ An overall audit strategy that sets the scope, timing, and direction of the audit;

Made by:
Cathlyn S. Linga
 ➔ A detailed audit plan containing the nature, timing, and extent of the risk
assessment procedures at the assertion level (per account balance, classes of
transactions);
● Nature- the purpose and type of procedures,
● Timing- whether interim or year-end, and
● Extent- the quantity of procedures to be performed and evidence
to be gathered.
➔ Audit programs- tailored to the needs of the particular engagement.

Essential planning requirements

- Knowledge of the business

➔ It is important to understand the client's business and its environment, and the
industry it operates in so that we can know the events and transactions that may
have an effect on the client’s financial statements.
➔ Knowledge on the entity entails understanding its objectives and strategies, and
business risks it is susceptible to.
➔ The auditor may gather such information through:
● Reviewing the previous year’s audit working papers;
● The auditor’s previous experience with the entity and its industry;
● Tour of the entity’s facilities;
● Discussion with people within and outside the entity; ● Reading publications
related to the industry.

➔ Risk Assessment Procedures (RAPs)

● In further understanding the entity and its internal controls, and since we
are using a risk-based approach, it is important to perform RAPs or risk
assessment procedures.
● More importantly, RAPs enable us to better identify and assess risks; these
procedures are identified as the following:
➢ Inquiry- it consists of seeking information of knowledgeable persons,
both financial and nonfinancial. inquiries may be directed to people
within and outside the entity.
➢ Observation- looking at a process that is being done by the entity’s
personnel.
➢ Inspection- consists of examining records or documents, whether
internal or external, in paper or electronic form, or a physical
examination of an asset. Both observation and inspection may
support inquiries of management.

- Preliminary analytical procedures

Made by:
Cathlyn S. Linga
 ➔ Analytical Procedure as a RAP may help identify the existence of unusual
transactions or events, and amounts, ratios, and trends.
➔ The PSA requires auditors to use analytical procedures in:
● Planning stage
● Overall review stage.
➔ For now we will be focusing on the planning stage.

Preliminary analytical procedures in the planning stage

➔ To gain an understanding of the client’s business.
➔ Knowledge about the identified unusual relationships after applying analytical
procedures helps the auditor identify and assess Risks of Material
Misstatements (RoMMs).
➔ This allows them to focus on these areas as it may indicate the existence of
misstatements in the Financial Statements.

Steps in applying analytical procedures

1. Developing an expectation, based on information from (PAINTA):
● Prior year’s financial statements
● Anticipated results such as budgets, forecasts, or projections
● Industry averages
● Non-financial information
● Typical relationships among financial statements account balances
● Annualized interim financial statements

2. Comparing the expectations with the financial statements being audited.

3. Investigating any significant or unusual differences after comparison as these may

indicate the existence of RoMMs.

- Materiality
➔ There is no specific definition of materiality provided by PSA; by definition, as we
have learned in accounting,
“Information is considered material if its omission or misstatement
could influence the economic decision of users taken on the basis
of financial statements,”
➔ As we are only providing reasonable assurance and it is impractical that we check
all accounts and balances of the client, there are accounts and balances that we
have to ignore, this is where materiality level comes into the picture.
➔ PSA 320 requires the auditor to make a preliminary estimate of materiality. It is a
matter of professional judgment involving quantitative and qualitative factors.
➔ How is materiality determined?
● There are no specific amounts set by the PSA to determine materiality.
● It is a matter of:

Made by:
Cathlyn S. Linga
 ● professional judgment, ● experience of the auditor, and ● historical data of
the client.

Financial Statement Level Materiality/ Overall materiality

● Represented by the smallest aggregate amount of misstatement
applicable to all financial statements
● Amounts that are lower than the set fs level materiality aren’t considered as
these won't distort the financial statements or mislead decision makers.

Account Balance Level

● The largest tolerable misstatement or allocated materiality to an
account

Performance Materiality
● Amount/s set by the auditor at less than the overall materiality level
● It is determined for the purposes of
➢ Assessing the RoMMs
➢ Determining the nature, timing, and extent of further audit
procedures.

Specific Materiality
● Amount/s set by the auditor at less than the overall materiality level for
specific account balances, classes of transactions, or disclosures.

Assessing and Managing Audit Risks

The Audit Risk Model

Audit risk = Inherent Risk x Control Risk x Detection Risk

Inherent Risk (IR)

- Susceptibility of an account balance or class of transactions to a material misstatement
assuming that there are no internal controls in place.
- This concept recognizes that some accounts or classes of transactions, by their nature
are more vulnerable to misstatements

Control Risk (CR)

- The risk that a material misstatement will not be detected or prevented or corrected in a
timely manner by internal controls in place.
- It pertains to the condition of the entity’s internal control systems.

Made by:
Cathlyn S. Linga
*It is important to keep in mind that both inherent risk and control risks cannot be mitigated by the
auditor, hence, to reduce audit risk, we have one risk that we can control- detection risk.

Detection Risk (DR)

- This is the risk that an auditor may not detect a material misstatement in an assertion.
- To minimize this risk, we place reliance on substantive tests.
- More effective substantive tests = lower detection risks (inverse relationship).
- Detection risk is the complement of the assurance provided by substantive tests.
- As the acceptable level of detection risk decreases, assurance from substantive tests must
be increased through more substantive tests.

Audit Risk (AR)

- The risk that an auditor might give an inappropriate audit opinion on the financial
statements.
- Audit risk is the complement of audit assurance.
- Ex: a 5% audit risk means that there is a 95% assurance level that the opinion expressed
by the auditor is appropriate.

Steps in using the audit risk model

Step 1: Set Acceptable Level of Audit Risk
- There are no guidelines or specific values given by the standards for us to determine the
level of audit risk.
- This is determined based on professional judgment.
- The lower the level of acceptable audit risk, the higher the desired level of assurance
(inverse relationship).

Step 2: Assessing Inherent Risk

- Obtain an understanding of the entity and its environment.
- Use professional judgment to evaluate the numbers and results of the preliminary
analytical procedures.

Step 3: Assessing Control Risk

- Study and evaluate the effectiveness of the client's internal control system.
- Effective control systems reduce the risk of material misstatements.

Step 4: Determining the Acceptable level of Detection Risk

- Once the three above-mentioned risks (AR, IR, and CR) have been determined/identified,
the acceptable level of detection risk is determined.
- For this step, you may refer to the audit risk model:
AR = IR x CR x DR
- To understand the level of the detection risk needed, rearrange the model into:
DR = AR / (IR x CR)
- This tells us that there is an inverse relationship between the acceptable level of detection
risk and assessed levels of inherent risk and control risk.

Made by:
Cathlyn S. Linga
 - Hence, the higher the assessed IR and CR, the lower the acceptable level of DR.

Step 5: Design Substantive Tests

- The substantive tests to be applied will depend on the acceptable level of detection risk.
- As the acceptable DR decreases, the assurance provided by the substantive test
increases.

Overall Audit Plan and Audit Program

Overall Audit Plan

- Matters identified in the overall audit strategy are addressed through an audit plan.
- It includes a description of the nature, timing, and extent of risk assessment procedures,
further audit procedures, and other audit procedures required by the PSAs.
- Planning doesn't only occur at the beginning of an audit because the audit plan develops
over the course of the engagement. - It is a continuous process.

Audit Program
- The audit program is the most important control mechanism in an audit.
- It is a list of procedures (test of controls or substantive tests) to gather sufficient
appropriate audit evidence.
- In most accounting firms, audit programs are already pre-printed. Auditors would normally
modify these to suit the client’s conditions, situations, and peculiarities.
- For initial engagements (first time clients of the audit firm):
➔ Preliminary audit programs are not usually prepared until the client’s control
structure has been reviewed and documented, - For continuing engagements:
➔ Preliminary audit programs can be drafted in advance of fieldwork.
- There are two types of audit programs:
1. Test of controls audit program or compliance test audit program; and 2.
Substantive test audit program.

The Need for Experts

- There may be certain engagements which require the expertise of a trained or qualified
person from another field, ex: actuaries or engineers.
- The following are considered when determining the need for an expert in the engagement:
1. The engagement team’s knowledge and previous experience of the matter being
considered;
2. The RoMM based on the nature,complexity, and materiality of the matter being
considered, and the quality and quantity of other audit evidence expected to be
obtained.
- When using/planning to use the work of an expert, and auditor should evaluate:
1. The professional competence of the expert,
2. Experience,
3. Reputation in his/her respective field, and
4. Expert’s objectivity.

Made by:
Cathlyn S. Linga
Understanding the Entity and its Environment
- Industry, regulatory and other external factors, including the applicable financial
reporting framework
➔ To properly understand the entity and its environment, we work our way from the
external factors to internal and more specific ones.
➔ External factors include:
● Industry- there may be risks associated with or are particular to the type of
industry which the entity operates
● Legislative and regulatory- which pertains to the jurisdiction in which the
entity is registered or operates
● Financial reporting framework- similar to legislative and regulatory factors,
it is also based on the jurisdiction in which the entity is registered or
operates. In some cases, where there are no local financial reporting
framework, the entity’s choice may be governed by local or industry
practice, user needs, or other factors

- Nature of the entity

➔ Understanding of the nature of the entity would enable the auditor to understand
the classes of transactions, account balances, and disclosures that are in its
financial statements. It includes its:
● Operations;
● Ownership and governance structure;
● The type of investment it makes/future investment plans;
● The entity’s structure and means of financing

- Objectives and strategies and related business risks (PSA 315, para. 11(d))
➔ Objectives- overall plans for the entity set by the management or those charged
with governance.
➔ Strategies- approaches taken by the management to achieve its objectives, these
tend to be more specific.
➔ Business risks
● Arise from significant conditions, events, or circumstances that affect the
entity’s ability to achieve its objectives and implement the strategies.
● It is broader than the RoMM.
● Most business risks will eventually have financial consequences and an
effect on financial statements, however, not all business risks result to
RoMMs.
● The identified business risks are addressed through internal controls
(discussed in the next module) implemented by the entity.

- Measurement and review of the entity’s financial performance

Made by:
Cathlyn S. Linga
 ● It is imperative that the auditor also obtain an understanding of the
measurement and review of the entity’s financial performance.
● This may lead the auditor to uncover whether there are certain factors
which may be putting pressure on the entity and influencing management
actions- rendering the possibility of increased risks of material
misstatement.

References:
1. Irineo, J., Irineo, S., & James, G. (2018). Auditing and assurance principle. Good Dreams
Publishing.
2. Salosagcol, J., Tiu, M., & Hermosilla, R. (2018). Auditing Theory. GIC Enterprises & Co.,
Inc.
3. https://www.aicpa.org/research/standards/auditattest/downloadabledocuments/au-
00314.pdf

Made by:
Cathlyn S. Linga