ACCA Paper F 8

AUDIT AND ASSURANCE SERVICES (INTERNATIONAL

STREAM)

Lecture 3

Audit Planning and Risk

DATE: Autumn 2008

TUTOR:

1
ISA 300 AUDIT PLANNING

Auditors should plan the audit so that the engagement is conducted in an

effective manner.

The objectives of planning include:-

• Directing appropriate attention to the different areas of the audit such

as assessing materiality, so that when the detailed audit plan is
prepared, audit procedures can be directed towards the material
amounts.
• Identify potential problems or risks so that they can be resolved at an
early stage.
• Facilitate review and control of the audit.
• Assigning and briefing staff with appropriate skills, knowledge, training,
proficiency.
• Coordinating the work of others such as that of experts.

• Obtaining knowledge and understanding of the client’s business.

• Providing an economic and effective service within appropriate

timescales

Planning an audit will permit development of:-

• An audit strategy based on risk analysis

• An audit plan that addressing the risks identified.

2
Planning procedures:

• Review the previous years working papers

• Identify problem areas encountered
• Determine staffing requirements
• Obtain an indication of time required
• If the client is new, review the previous auditors’ working papers to
obtain closing balances which will affect this year’s financial
statements.
• Determine the trading pattern and problems faced by the client
company.
• Establish timetable, important dates and deadlines
• Assess the effect of changes from previous year:

1 1. Systems

1 2. Law and regulation

1 3. Accounting policies

1 4. Management

1 5. Other relevant matters

• Perform analytical review or procedures on the latest accounts.

• Request preparation of cash and profit projections where solvency

problems are foreseen.
• Review the work of internal audit.
• Evaluate whether reliance on other expert is necessary
• Allocate and brief audit staff.

3
ISA 315 UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT AND
ASSESSING THE RISK OF MATERIAL MISSTATEMENT.

315.2 The auditor must obtain an understanding of the entity and its
environment, including internal controls, so that they can identify and assess
the risks of material misstatement on financial statements due to fraud or
error and design and perform further audit procedures.

The objective of this standard is to ensure that auditors obtain sufficient

knowledge of the business of the entity to enable them to identify and
understand the events, transactions or practice that may have a significant
effect on the financial statements or the audit. This knowledge of the
business helps to assess the levels of control and inherent risk and to
determine audit procedures.

Procedures to follow:-
• Enquiry of management
• Analytical procedures.
• Observation and inspection.

4
ISA 400 RISK ASSESSMENT

There are 2 main categories of risk

1. Business Risk
2. Audit Risk.

1. Business Risks

Business risk is the risk that the business will fail to meet its objective.

Elements of Business Risk include

• Financial risk which arises from the company activities such as going
concern problems, overtrading, credit risk, interest risk, currency risk
and breakdown of accounting systems.
• Operational risk arising from the operation of the business such as lost
business opportunities, loss of physical assets and lack of business
orders.
• Compliance risk arising from non-compliances with laws and
regulations such as breach of companies acts, and health and safety
regulations.

2. Audit risk is the risk that the auditor come to an invalid conclusion in
audit report and come to an incorrect opinion that either:

1 1. The audit report is unqualified but subsequently material error is

found in the financial statement.

1 2. The audit report is qualified but subsequently no material error is

found in the financial statement.

5
There are two types of audit risks:-

1. Inherent risk
2. Control risk

Inherent and control risk together form risk of material misstatement.

Detection risk mainly a part of sampling risk

1. Inherent risk is the risk that misstatement will occur due to factors
inherent in the company’s business or environment or the nature of
individual transaction or balance. It is the risk attached to an assertion
that could cause a material misstatement. Certain assertions, related
classes of transactions and account balances such as stock are more
prone to risk.

Inherent risk depends on the type of business.

1
2 The following have a high inherent risk:

• Businesses with products subject to changes in fashion and technology

business. The risk is that stock could be overstated.
• Companies with a dominant chief executive.
• Small and new companies.
• Companies experiencing going concern problems.
• Companies facing a highly competitive environment.

6
 1 2. Control risk is the risk that a misstatement could occur in an account
balance or class of transactions and that could be material either
individually or when aggregated with misstatement in other balance or
class, would not be detected and corrected on timely basis, by the
accounting and internal control systems.
2 This is the risk that the client’s internal control system will not prevent
errors occurring or will not detect them after the occurrence so that
they may be prevented.

Example of control risk – corporate culture of slack control procedures,

lack of proper reconciliation of ledger balances.

3. Detection risk the risk that auditor’s substantive procedures do not

detect a misstatement that exist in an account balance or class of
transactions that could be material either individually or when aggregated
with misstatements in other balance. One component of detection risk is
sampling risk. Sampling risk is the possibility that the auditor’s
conclusion, based on a sample, may be different from the conclusion
reached if the entire population were subjected to the audit procedure.
1

7
ISA 320 AUDIT MATERIALITY

Auditors must consider materiality and its relationship to audit risk when
conducting and audit.

Information is material if its omission or misstatement could influence the

economic decisions of users taken on the basis of the financial statements.

Materiality is an important concept in the audit process and affects:-

• Audit risk evaluation
• The nature, timing and extent of audit procedures (e.g. sample sizes).
• The determination of whether the financial statements are distorted
by misstatements discovered.

The auditor’s assessment of materiality is influenced by the following:

• The overall impact on the financial statements.

• Individual account balances and transactions
• The size of the item. For example, an item may be large in relation to
certain items in the financial statements profit, turnover, gross assets,
individual assets, and liabilities.

Quantitative materiality
1
2 An item is material if it is :-
3
4 > 5-10% of profit before tax

5 > ½– 1% of turnover

8
 1 > 1 – 2% of gross total assets

> 2 -5% of net assets

2
3 > 10% of an individual asset/liability

1 Qualitative materiality
2
3 The nature of an item which is immaterial in size could be material if it
is :-

4
5 1. Illegal payment or otherwise immaterial amounts could be material.
Material contingency could rise and results in a material loss of assets
or revenue.
6
7 2. Inadequate or improper description of an accounting policy could be
material. Users of the financial statements could be misled.

8 3. The requirement to disclose information in compliance with the

Companies Act or other regulations (e.g. directors’ transaction even if
immaterial in size).

9 4. Items required to be precisely stated (e.g. share capital & reserves,

dividends, audit fees).

9
Assessing Risk: ISA 330 The auditor's procedures in response to
assessed risks
10

ISA 330 indicates that the auditor must determine the nature and extent of
audit evidence to be obtained from the performance of substantive
procedures in response to the related assessment of the risk of material
misstatement. This varies depending on the assessment of inherent and
control risks, and that, irrespective of the assessed risk of material
misstatement, the auditor designs and performs substantive procedures for
each material class of transactions, account balance, and disclosure and that
the assessed levels of inherent and control risk cannot be sufficiently low to
eliminate the need to perform any substantive procedures.

These substantive procedures may include the use of external confirmations

for certain specific financial statement assertions.

The higher the auditor’s assessment of inherent and control risk, the more
reliable and relevant is the audit evidence the auditor needs to obtain from
the performance of substantive procedures. The use of confirmation
procedures may be effective in providing sufficient appropriate audit
evidence.

On the other hand, the assessed risk of material misstatement and the level
of inherent and control risk is low, the less assurance the auditor needs from
substantive procedures. For example, if an entity has a loan that it is
repaying according to an agreed schedule, the terms of which the auditor has
confirmed in previous years and the other work carried out by the auditor
including tests of controls indicates that the terms of the loan have not

10
changed, this means that the risk of material misstatement level of inherent
and control risk is low, and the auditor can limit substantive procedures to
testing details of the payments made, rather than again confirming the
balance directly with the lender.

In order to reduce risk to an acceptably low level, the auditor should

determine overall responses to the assessed risks at the financial statement
level and design and perform further audit procedures to respond to assessed
risks at assertion level.

ISA 240 defines assertions as representations by management that are

included in the financial statements, as used by the auditor to consider the
different types of potential misstatements that may occur.

Responses to risk at the financial statement level include:-

• Emphasizing to the audit team the need to maintain professional

skepticism in gathering and evaluating audit evidence.
• Assigning more experienced staff or those with special skills or using
experts, providing more supervision.
• Incorporating additional elements of unpredictability in the selection of
further audit procedures to be performed.
• Make general changes to the nature, timing, or extent of audit
procedures as an overall response, for example, performing
substantive procedures at period end instead of at an interim date.

The assessment of the risks of material misstatement at the financial

statement level is affected by the auditor’s understanding of the control
environment. An effective control environment may allow the auditor to
have more confidence in internal control and the reliability of audit
evidence generated internally within the entity and thus, allow the auditor

11
 to conduct some audit procedures at an interim date rather than at period
end.

If there are weaknesses in the control environment, the auditor should

conduct more audit procedures as of the period end rather than at an
interim date, seek more extensive audit evidence from substantive
procedures, and modify the nature of audit procedures to obtain more
persuasive audit evidence.
Responses to risk at the assertion level include:-

The auditor should design and perform further audit procedures whose
nature, timing,
and extent are responsive to the assessed risks of material misstatement at
the
assertion level.

In designing further audit procedures, the auditor considers such matters as

the following:

• The significance of the risk.

• The likelihood that a material misstatement will occur.
• The characteristics of the class of transactions, account balance, or
disclosure
involved.
• The nature of the specific controls used by the entity and in particular
whether they
are manual or automated.
• Whether the auditor expects to obtain audit evidence to determine if the
entity’s
controls are effective in preventing, or detecting and correcting, material
misstatements.

12
The auditor’s assessment of the identified risks at the assertion level provides
a basis for considering the appropriate audit approach for designing and
performing further audit procedures.

The response must use:-

1. Test of controls

In some cases, the auditor may determine that only by performing tests of
controls will he achieve an effective response to the assessed risk of material
misstatement for a particular assertion. Tests of control are an audit
procedure designed to evaluate the operating effectiveness of controls in
preventing, or detecting and correcting, material misstatements at the
assertion level. The auditor designs tests of controls to obtain sufficient
appropriate audit evidence that the controls operated effectively throughout
the period of reliance. Matters the auditor may consider in determining the
extent of the auditor’s tests of controls include the following:

• The frequency of the performance of the control by the entity during the
period.
• The length of time during the audit period that the auditor is relying on the
operating
effectiveness of the control.

13
• The relevance and reliability of the audit evidence to be obtained in
supporting that
the control prevents, or detects and corrects, material misstatements at the
assertion
level.
• The extent to which audit evidence is obtained from tests of other controls
related to the assertion.

2. Substantive Procedures. If the auditor determines that performing only

substantive procedures is appropriate for specific assertions, he can exclude
the effect of controls from the relevant risk assessment. This may be because
the auditor’s risk assessment procedures have not identified any effective
controls relevant to the assertion, or because testing the operating
effectiveness of controls would be inefficient. However, the auditor needs to
be satisfied that performing only substantive procedures for the relevant
assertion would be effective in reducing the risk of material misstatement to
an acceptably low level. Often the auditor may determine that a combined
approach using both tests of the operating effectiveness of controls and
substantive procedures is an effective approach.

Substantive procedure – An audit procedure designed to detect material

misstatements at the assertion level.

Substantive procedures comprise:

(i) Tests of details (of classes of transactions, account balances, and

disclosures), and
(ii) Substantive analytical procedures. Tests of detail are appropriate for
matters identified as significant risks. These include complex or unusual
transactions which make indicate fraud or other special risks.

Timing of Substantive Procedures

14
In most cases, audit evidence from a previous audit’s substantive procedures
provides little or no audit evidence for the current period.

Exceptions:-
* A legal opinion obtained in a previous audit related to the structure of a
securitization to which no changes have occurred, may be relevant in the
current period. In such cases, it may be appropriate to use audit evidence
from a previous audit’s substantive procedures if that evidence and the
related subject matter have not fundamentally changed, and audit
procedures have been performed during the current period to establish its
continuing relevance.

Using audit evidence obtained during an interim period

In some circumstances, the auditor may determine that it is effective to

perform substantive procedures at an interim date, and to compare and
reconcile information concerning the balance at the period end with the
comparable information at the interim date to:

(a) Identify amounts that appear unusual

(b) Investigate any such amounts
(c) Perform substantive analytical procedures or tests of details to test the
interim
period.

15
Performing substantive procedures at an interim date without undertaking
additional
procedures at a later date increase the risk that the auditor will not detect
misstatements that may exist at the period end.

Test of Controls at interim stage:

When the auditor obtains evidence about the operating effectiveness of
controls during an interim audit, the auditor should determine what additional
audit evidence should be obtained for the remaining period.

Documentation
The form and extent of audit documentation is a matter of professional
judgment, and is
influenced by the nature, size and complexity of the entity and its internal
control, availability of information from the entity and the audit methodology
and technology used in the audit.

Must document the following:-

• Key elements of the entity
• Identified or assessed risk of material misstatement
• Responses to address risk
• Nature, extent, timing of procedures.
• Conclusions

ISA 240 The auditor's responsibility to consider fraud in the audit of

the financial statements.

External Auditor’s Responsibilities

1. The objective of the auditor is to identify and assess the risks of material
misstatement,

16
whether due to fraud or error, at the financial statement and assertion levels,
through
understanding the entity and its environment, including the entity’s internal
control, thereby providing a basis for designing and implementing responses
to the assessed risks of material misstatement.

2. In planning the audit and in performing audit procedures to reduce audit

risk to an acceptably low level, auditor must consider the risks of material
misstatements in the financial statements due to fraud.

3. Auditors must be aware of the possibility of material misstatements due to

fraud. The auditor must adopt an attitude of professional scepticism during
the audit and be alert to circumstances that may lead to fraud.

4. Risk assessment procedures for fraud:-

• Inquiries of management charged with corporate governance
• Consideration of fraud risk factors
- Changes in the entity such as large acquisitions or reorganizations or
other unusual events.
- Use of off-balance-sheet finance, special-purpose entities, and other
complex financing arrangements.
- Weaknesses in internal control, especially those not addressed by
management
- Significant amount of non-routine or non-systematic transactions
including inter-company transactions and large revenue transactions at
period end.
• Consideration of results of analytical procedures.
• Non-compliance with laws and regulations that may materially affect
the financial statements.

5. Appropriately design audit procedures. Increase sample size where

assessed risk is high.

6. Obtain written management representations

* Acknowledging that it is their responsibility to prevent and detect fraud

17
 * Confirming that they have disclosed to the auditor, their own
assessment of risk of fraud and any knowledge of fraud or suspected
fraud.

7. Report
* To appropriate level management if auditor has identified fraud or is
suspicious of fraud.
* To those charged with governance if fraud involves management,
significant employees and third parties.
* To regulators if there is a statutory duty.

ISA 620 - USING THE WORK OF AN EXPERT

“Expert” means a person or firm possessing special skill, knowledge and

experience in a particular field other than accounting and auditing.

An expert may be:

(a) Engaged by the entity;
(b) Engaged by the auditor;

18
(c) Employed by the entity; or
(d) Employed by the auditor.

When the auditor uses the work of an expert employed by the auditor, that
work is used in the employee’s capacity as an expert rather than as an
assistant on the audit.

The auditor should obtain sufficient appropriate audit evidence that the scope
of the expert’s work is adequate for the purposes of the audit.

An expert’s work can be used :-

• At the planning stage to obtaining an understanding of the entity and
performing further procedures in response to assessed risks.
• During the audit to obtain audit evidence in the form of reports,
opinions, valuations and statements of an expert.

The auditor needs to assess 4 issues in relation to an expert:-

1. Necessity to use him
2. Competence and objectivity – is he an employee or a contracted third
party.
3. Scope of work of the expert.
4. Actual work. Consider the source data used, assumptions, methods
and results.

Reference to an Expert in the Auditor’s Report

1. When issuing an unqualified report, the auditor should not refer to the
work of an

19
expert. Such a reference might be misunderstood to be a qualification of the
auditor’s
opinion or a division of responsibilities.

2. If as a result of the work of an expert, the auditor decides to issue a

qualified audit report, it may be appropriate to refer to or describe the
work of the expert (including the identity of the expert and the extent of
the expert’s involvement). In these circumstances, the auditor would
obtain the permission of the expert before making such a reference. If
permission is refused and the auditor believes a reference is necessary,
the auditor may need to seek legal advice.

20