Audit Planning

Learning Objectives
• To identify the processes in shariah audit planning
• To determine the materiality indicator in shariah audit
practice
• To develop understanding on the internal control for
shariah compliance
• To introduce shariah audit program during the audit
process
 Introduction
• Audit processes are the steps that involve in performing
shariah audit function which is done by the external auditors
• External shariah audit is an optional basis – this can be adopted
by IFIs
• The audit process can be broke down into the following audit
phases:

Consider
Establish Issue the
internal Perform
Preliminar Materiality Plan the shariah
control for audit
y Review and Assess Audit audit
shariah procedure
Risks report
compliance
Terms of Engagement
• The terms of engagement in conducting audit must done at the
planning stage.
• To allow the auditor to set the scope and objectives of the
relationship between the auditor and the IFIs.
• Engagement letter should address:
• The responsibilities: Scope, Independence, Deliverables
• Authority: right of access to information
• Accountability: Auditees’s rights, agreed completion date of the
auditor
• AAOIFI No 3. on terms of audit engagement – requires auditor
and the client to agree on the terms of the engagement
Preliminary Review
• Allows the auditor to gather organizational information as a
basis for creating their audit plan
• Identify the IFI’s strategy and responsibilities for managing
and controlling the institutions
• An auditor can provide an in depth overview of the IFI’s
operations system to establish which applications are
financially significant
• Preliminary review: the auditors will perform analytical review
to identify areas that need to be focused and mitigated
Analytical Review
• Analytical review: analysis of significant ratios and trends
including the resulting investigation of fluctuations and
variances
• 5 Types of Analytical Review:
• Compare client data and industry data
• Compare client data with similar prior period data
• Compare client data with client determined expected results
(budgets)
• Compare client data with auditor determined expected results
• Compare client data with expected results, using non-financial
data
 Shariah Audit Checklist
• Essential part of the planning stage
• Checklist:
Product design and structure Product documentation Product operations

• Suitable for the design of the • The product manual is in place • Product concept – well
product in the IFIs understood by the internal
• Shariah compliant • Product manual and legal parties especially the front
• Maqasid shariah of the product documentation – shariah lines
and necessary approvals compliant • Execution and disbursement of
• Endorsement – obtained for the products – follow shariah
the design and structure of the contract
product • Payment and repayment –
clear
• Product transaction recording
procedures – meet the
standards of IFRS
• Monitoring and recovery
policies and procedures – clear
and overall operations must be
shariah compliant
Materiality and risk assessment
in shariah audit practice
• Materiality and Assessment of the IFI’s business risks are
made to set the scope of the audit
• Materiality is
“Information is material if its omission or misstatement could
influence the economic decisions of users taken on the basis of
the financial statements. Materiality depends on the size of the
item or error judge in the particular circumstances of its
omission or misstatement. Thus, materiality provides a threshold
or cut- off point rather than being a primary qualitative
characteristic which information must have if it is to be useful”
Materiality in Shariah Audit
• The level of compliance needed for a certain transaction to be
considered as valid according to shariah
• Level needed to be adopted by internal auditors when they are
planning the audit. This includes:
• The audit of financial statements
• Compliance audit of the organizational:
• Structure
• People
• Process
• Information technology application system
• The review of adequacy of the shariah governance process
Auditor’s determination of
materiality
• A matter of professional judgment and is affected by the auditor’s
perception of the information needs of users of the financial
statements
• It is reasonable for the internal shariah auditor to assume that users:
• Have a reasonable knowledge of fiqh muamalat activities and
transactions and a willingness to study the information in the contracts
with reasonable diligence
• Understand that the contracts are prepared, presented and audited to
levels of materiality
• Recognized the uncertainties inherent in the measurement of amounts
based on the use of estimates, judgment and the consideration of future
events and
• Make reasonable economic decisions on the basis of the information in
the transactions of IFIs
Designing Shariah Audit Plan
• Internal shariah auditor should establish an acceptable
materiality level so as to detect quantitatively material
misstatements
• Both the amount (quantity) and nature (quality) of
misstatements need to be considered
• Qualitative misstatements would be the inadequate or improper
description of a product and services when it is likely that a
user of the information would be misled by the description
• Failure to disclose that breach of regulatory requirements when
it is likely that the consequent imposition of regulatory
restrictions will significantly impair operating capability
The auditor’s considerations
• Need to consider the possibility of misstatements of relatively
small amounts that cumulatively could have a material effect
on the structure of the issued product in the IFIs
• In terms of the organisation’s:
• Structure
• People
• Process
• Information technology application system
The relationship between
materiality and audit risk
• Internal shariah audit need to consider what would make the
information materially misstated
• Shariah audit need to decide as what items to examine and
whether to use sampling and substantive analytical procedures
• Selection of items – to reduce the shariah risk to an acceptably
low level
• The higher the materiality level, the lower the shariah risk and
vice versa
Materiality level in shariah audit
planning
• Materiality is quantified and considered twice during the
shariah audit process
• During the planning phase of the audit (planning materiality)
• During the concluding phase of the audit (final materiality)
• The SA may also audit non-financial items such as physical
access controls, logical access controls and systems for
personnel management, manufacturing control, design, quality
control and password generation
• The SA – identify relevant control objectives and determine,
based on materiality which controls should be examined.
• Internal control objectives are placed by management and
identifies what the management strives to achieve through their
internal controls
Materiality Indicators
• Needed to set certain level of materiality for the purpose of
determining whether a contract is valid, voidable or void is to be used
by the auditors when they are examining the documents in relation to
a transaction
• The degree of materiality measurement - used to ascertain whether
any activity or operation is indeed compliant to shariah
• Must be referred to the requirement of shariah on the contracts or
transactions
• Auditing – Issue of materiality arises!
• Internal audit has to set a minimum threshold of shariah compliance in
order to finally decide whether the activities and operations comply with
the shariah guidelines
• Some actions give rise to different implications to the contract
• Essential elements of a contract are the items that have to be strictly
observed
Materiality Indicator
• The materiality level to be used when assessing the risk of
shariah non-compliance can be divided into three main areas:

Major non shariah compliance

• Comprise of risk that may lead to invalidation of the contracts and /or
recognition of profit

Moderate non-shariah compliance

• Comprise of non-compliance of conditions of contract

Minor non-shariah compliance

• Comprised of other than the above
Contracts are categorized VALID, VOID AND VOIDABLE. A
contract is valid if all of its elements are found in order and all
conditions have been met.
A contract must also not imply prohibited activities such as
RIBA, GHARAR
A contract is void if its major conditions are not fulfilled
Major Non –Shariah Compliance
• The major conditions are:
• Existence of two parties, mature and sane which must be capable of entering into
contracts
• The existence of an offer and acceptance which have to be with free mutual consent
• A subject matter that should be in principle legal, existing, valuable, usable, capable
of ownership/title, capable of delivery/possession, specified and quantified and the
seller must have its title and ownership
• The contract must be free from any prohibited activity and is not contradicted with
any statutory or common law rule. To make a contract valid it must have essential
elements and each of the essential elements must meet the necessary conditions
• If any of the above mentioned is not fulfilled or – the contract will be
considered as primarily non-shariah compliance
• If the transactions in IFIs involve riba, gharar, maysir, prohibited commodities,
goods of no use to Muslim and cooperation to the matter of sin and aggression
– the contract will be considered major non-shariah compliant.
Moderate Non-Shariah
Compliance
• A contract would be voidable if:
• Conditions of lesser importance such as specifications of the
subject matter are not fulfilled.
• Contracts that involved in prohibited items or that are structured
in a way that is illegal may in certain circumstances be rectified
by removal of the objectionable clause to make the contract valid
• The underlying principle in the contracts in Islamic commercial
law is valid and permissible
• Any contract or stipulation is prohibited and void only if there is
an explicit rule in the shariah proving its prohibition and void
Minor Non-Shariah Compliance
• Comprised of elements that are classified as other than Major
and Moderate non-Shariah compliance risk
• The parameter of minor non-shariah compliance risks can also
be determined according to the needs of each IFI
Plan The Audit
• Proper planning will ensure the audit is conducted in an
effective and efficient manner
• SA planning is necessary to:
• Ensure audit will be performed in an effective manner
• Enable the auditor to obtain sufficient competent evidence for the
circumstances
• Help keep audit cost reasonable
• Avoid misunderstanding with client
Plan The Audit
• The auditor must plan and conduct the audit to ensure their
audit risk will be limited to an accepting level
• To limit the audit risk, SA need to:
• Obtain an understanding of IFIs and its environment
• Identify risks that may result in material misstatement
• Evaluate the IFI’s response to those risks
• Assess the risk of material misstatement
• Evaluate results and issue audit report
• SA plan shall be tabled to SC of the IFI for approval since it is
the responsibility of the SC to be involved in SA function
• SC of the IFIs will accommodate the auditor in identifying
shariah risks that requires attention and immediate action at the
planning stage.
 Internal Control of Shariah
Compliance
• An internal control for shariah compliance should be designed
and operated:
• To provide reasonable assurance that an IFIs objective are being
achieved:
• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws, regulations, accounting and
auditing standards
• To develop understanding of internal controls for shariah
compliance – consider information from previous SA
• Then, they will be able to assess the level of their control risks
• BNM’s Shariah Governance framework requires shariah audit to
check for sound and effective internal control system for SC
Internal Control
• The role is to manage risk rather than to eliminate it
• One of the principal means by which risk is managed
• To manage risk include the transfer of risk to third parties,
sharing risk, contingency planning and the withdrawal from
unacceptably risky activities
• A system of internal control consists of policies and procedures
designed to provide management with reasonable assurance
that the company achieves its objectives and goals
• Generally an organization has three broad objectives in
designing an effective internal control system:

The reliability of Efficiency and Compliance

financial effectiveness of with laws and
reporting the operations regulations
Elements of Internal Control for
shariah compliance
Internal control for shariah
Compliance

Adequate
Avoid shariah Shariah
Qualified
conflict of policies Audit-
HR
Interest and Internal
procedures
IFIs adoption of five major components of
Internal Control System
• A company’s system of internal control system commonly
comprises of five main components

Control environments

Identification and evolution of risks and control

objectives

Information and Technology

Control Procedures

Monitoring and Corrective Action

Perform Audit Procedures
• Developed based on the auditor’s understanding of the IFIs and
its environment
• Four types of tests that they can use to determine whether the
operations of IFIs are fairly stated
• It can be divided into two major areas:
• To satisfy the demand of test of control
• Conducted during the interim audit and before IFI’s financial year end
• To check on the effectiveness of the internal control system on shariah
compliance as well as if the operation system of IFIs comply with the
laws and regulation
• To satisfy the substantive test requirement
• Conducted at the end of each accounting period – final audit stage
• To detect material monetary misstatements in the auditor will audit the
operations of an IFIs based on the sample taken
 FRAMEWORK FOR AUDIT
PROCESS
Audit Process

Test of Substantive
Control Test

Internal
Operational Analytical Test of
control
Audit Procedure Transactions
system

Test of
Balance

In order to perform ST, the auditor needs to perform audit sampling to avoid testing
the whole population of the IFIs. To ensure the resources available in performing
shariah audit are being allocated efficiently and effectively
Audit Sampling
• Sampling is important to determine the sufficiency evidence from
the total number of target population
• One of the steps in audit process on the adequacy to warrant
generalization of the findings to the target population
• Audit sampling – the data gathered will be more accurate and
time saving
• The auditor should consider the audit objectives, the nature of the
population and the sampling and selection methods when
designing the size and structure of an audit sampling
• SA needs to consider the previous audit findings in determining
the sample size
• If previously, IFIs are highly exposed to Shariah non-compliance
issues, the auditor needs to increase the sample size in order to reduce
the risk faced by the auditor
Selecting the sample
• The auditor should select the sample items in such a way that
they are representative of the population
Sampling Methods

Random sampling
Statistical Sampling
Methods
Systematic
Sampling

Judgmental
Sampling
Non-Statistical
Sampling Methods
Haphazard
Sampling
Selecting the sample
• The selection of the sample size is affected by the level of
sampling risk that the auditor is willing to accept
• Sampling risk- the risk that the auditor’s conclusion may be
different from the conclusion that would be reached if the
entire population were subjected to the same audit procedure
• The two types of sampling risk:
• The risks of incorrect acceptance
• The risk of incorrect rejection
Evaluation and Documentation
of Samples
• The effect of not being able to apply a planned procedure to a
sample item in identifying shariah non-compliance risks
• A projection of the sample results to the population being
tested, then comparing those results with the planned amounts
• Appropriate consideration to the assessed level of sampling
risk must be performed
• Auditor needs to adequately consider qualitative aspects of
misstatements, such as the nature and cause of the
misstatements and the possible relationship of the
misstatements to other phases of the audit
Evaluation and Documentation
of Samples
The auditor must document in their work papers
the sampling objectives and the sampling process
used.

The working papers should include:

• The source of the population
• The sampling method used
• Sampling Parameters
• Items selected
• Details of audit tests
Audit Program
• It is designed to audit a particular area of the overall scope of
the audit exercises
• It is similar to checklist which is to check and identify the IFIs
adherence to shariah
• The Audit program designed in an islamic bank shall cover the
area of PER, Zakat and purification of Income.
• Compliance Issues – the audit program shall cover the area of
organizational structure, people, process and information
technology application system.
• The proposed shariah audit program can be used to audit on
the financial statements of IFIs, compliance audit and review
of adequacy of the shariah governance process
Audit Report
• Once audit procedures have been performed and
results have been evaluated, the auditor will issue
either an unqualified or qualified audit report
based on their findings
Conclusion
• Identifying audit process is necessary to determine and measuring
the exact work in shariah audit.
• All stages involved in the audit process shall be dealt accordingly
before moving to the next step
• One of the most important audit process is audit planning
• Audit planning is essential in performing shariah audit to ensure
that the follow of the overall audit process are met
• The auditor should plan the audit work so that the engagement will
be performed in an effective manner
• It is also important to develop a general strategy and detailed
approach on the shariah aspect, timing and extent of the audit work
• These will help to ensure that the audit is carried out in an efficient
and timely manner.