Chapter 6

PLANNING

1. Importance of planning:-

ISA 300 paragraph 2 "The auditor should plan the audit so that the engagement will be
performed in an effective manner"

Performance in an effective manner means:-

a) selecting right staff members and ensure that they are effectively employed

b) Identifying potential problem and risky areas

c) Work is focused on identified areas in (b) above

d) Good time planning so that work can be fully completed

e) Enabling deadlines to be met so that there is time for due consideration of the important issues

This is to ensure that risk of FS may be misstated is reduced to an acceptable level

Risk can be assessed a)KOB b) analytical procedures

There is an adverse relationship between risk and materiality

2. Audit strategy Sets overall approach of audit and covers:-

Scope related to:-

1. Financial reporting framework (local GAAP or IASs)

2. Specific industry or reporting requirements (banks, charities, listed or Insurance Cos)

3. Other factors influencing overall approach (multiple locations or group audits)

Timing of:-

1. Audit reports (final, interim, mgt & those charged with governance)

2. Audit visits both:-

a) Interim visits to document systems, evaluate controls in addition to some detailed lists (eg purchase
& disposal of non current assets)

b) Final visits focuses on statement of FS areas and finalization of FS & audit report

d) Consideration for interim audits:-

1) Client of sufficient size

2) Reporting deadlines (if very tight may be audit up to 11 months then "roll forward" to the
statement of financial position date)

3) Start early enough in order not to interfere with y/e procedures and give adequate
warning of specific problems

4) Finalize late enough to enable sufficient work to be done to ease the pressure on the final
audit
 3. Direction covers issues as preliminary:-

a) Assessment of materiality

b) Identification of high risk areas

c) Identification of material a/c balances & components (divisions, branches, subsidiary of the CO)

d) Assurance needed in case of reliance on controls

e) Need of site visits and other logistical issues

f) Recent developments and their impact on client's industry, regulatory and financial reporting
requirements

4. For small entities audit strategy shouldn't be complex with smaller audit team for better coordination &
communication between staff members

5. The impact of fraud on audit strategy

Ref to ISA 240 pare 24"the auditor should maintain an attitude of professional skepticism throughout the
audit", this means the auditor:-

a) Is concerned with fraud that:-

(i) May lead to material misstatement,

(ii) has an inherent intent to deceive,

(iii) If suspected leads to reduced levels of materiality and increased risk,

(iv) Lead to reduced reliance on internally generated evidence and increased reliance on externally/

own generated ones

(v) If mgt is suspected to be involved with fraud this will reduce reliance on mgt representation letter

b) Supports conclusions with relevant appropriate audit evidence

c) Ensures safeguards against threats are effectively operating/ in place

6. Possible different strategies

a) Final or interim & final

b) Reliance on controls or substantive procedures

c) Visits of CO's branches/ sites

d) Heavy reliance on analytical procedures rather than tests of controls

e) Do we need experts?

7. Audit plan

a) Answers the question of "what needs to be done and how?'

b) Concerned with implementing audit strategy

c) Identifies work to be done, by who and when

8. Knowledge of the business (KOB)

 Refers to detailed info related to clients:-

a) Industry b) Competition c) Technology

d) Laws & regulations e) Acquisitions & disposal f) Financing

g) Management h) ICSs and accounting policies

i) Related parties (SH, managers, Cos/entities under common control)

j) Trading partners (major customers/ suppliers)

9. Sources for Knowledge of the business (KOB)

a) A meeting with client b) Previous year's audit file (existing clients)

c) A planning meeting is required by ISA 315 para 14 "the members of the engagement team should
discuss the susceptibility of the entity's financial statements to material misstatements". This would enable
audit team assess risk levels and risk of fraud.

Both client & planning meeting enables audit team discuss initial analytical procedures findings the level of
risk to be assessed.

d) Analytical procedures:

(i) It is one of audit skills which help an auditor understand the client's business and changes in the
business, to identify risk and to plan other audit procedures.

(ii) It include comparison of data on FS with prior periods, budgets, forecasts and similar industries

(iii) It also includes consideration of predictable relationships such as:-

1. gross profit to sales,

2. payroll costs to employees,
3. Financial information and non-financial information, for examples the CEO's reports and the
industry news.

e) Possible sources of information about the client include:

1. interim financial information

2. Budgets
3. Management accounts
4. Non-Financial information
5. Bank and cash records
6. VAT returns
7. Board minutes
8. Discussion or correspondence with the client at the year-end

10. Materiality

a) ISA 320 para 3 "Information is material if it is omission or misstatement could influence the economic
decisions of users taken on the basis of the FS"

b) This means that materiality could be:-

(i) Big amount of money (i.e. determined by size)

(ii) Amount not big but:-

1. Triggers a threshold
 2. Indicates future developments or other significant events

3. Whose disclosure is compulsory

(ii) Material by nature for example:-

1. A transaction which means a client makes a loss rather than a profit

2. Transactions with directors

3. An accounting treatment which might be glossed over because the amount is small

c) Materiality is important because:-

(i) FS cannot show a true and fair view

(ii) Affect auditors procedures that should be designed to reduce risk of material misstatement to an

acceptable level

d) The assessment of what is material is a matter of professional judgment therefore firms use different
measures to quantify materiality

e) Materiality is used during planning & final stages of audit.

f) Common measures include:-

(i) % of gross profit

(ii) % of pre-tax income

(iii) % of total assets

(iv) % of equity

11. Tolerable error

a) ISA 530 para 12 "the maximum error in a population that the auditor is willing to accept"

b) Concerns the population being tested not like materiality that concerns FS as a whole

c) It is related to auditors judgment about materiality therefore considered at planning stage & for
substantive procedures

12.Documenting the planning process

a) There is a necessity to record audit strategy and planning process

b) We have two audit files:-

(i) Permanent file: contains all relevant information related to client's business (KOB) obtained during
planning stage that is relevant for more than one audit exercise (e.g. title deeds, names of
mgt/SH/charged with governance..)

(ii) Current file: contains all documents and evidence related to current audit (planning, completion,
statement of FS position and income statement areas)
 Chapter 7

Risk

1. Risk:-

Uncertainty that can affect performance either positively or negatively

a) Risk can represent opportunity or threat

b) Risk is characterized by likelihood and impact, including perceived importance
c) Risks are not problems: a problem is a risk that has already occurred with negative
consequences

2. Prcodural approach to auditing

Auditor carries out a set of standard procedures and tests regardless of the
particular nature of the client

3. Risk- based approach

Auditor plans the audit around the risks that the client's FS may contain
misstatements

4. Risk assessment as part of the audit process

Audits are conducted with an attitude of professional skepticism

a) Ask the question what could go wrong

b) An attitude that includes a questioning of mind and a critical assessment of
evidence

5. The importance of Risk analysis

Audits conducted under ISAs must follow the risk-based approach as this affects

a) the way audits are planned (identify likelihood of errors & misstatements occurring
in FS and plan audit work that addresses the same)
b) the sources of assurance (errors are discovered as early as possible, audits are
carried out most efficiently therefore minimizing the chance of issuing incorrect
opinion)
c) the nature of audit evidence gathered and procedures carried out (reduce chance of
getting sued, good understanding of risks of fraud and assess if the client is a going
concern
d) the amount of evidence gathered (reduce chance of getting sued, good
understanding of risks of fraud and assess if the client is a going concern)

There are two elements affecting Engagement Risk

a) Ethical issues: auditor needs to consider potential ethical issues on appointment,

re-appointment, planning, completion, accepting to provide non-audit services
b) Significant risks: risks which require special audit consideration
6. Audit risk

Audit risk: the risk that the auditor expresses an inappropriate audit opinion when
the FS are materially misstated

Also referred to as residual risk which refers to acceptable audit risk, i.e. it indicates
the auditor's willingness to accept that the FS may be materially misstated after the
audit is completed and an unqualified (clean) opinion was issued.

If the auditor decides to lower audit risk, it means that he wants to be more certain
that the financial statements are not materially misstated.

Audit Risk is further defined by way of a formula:-

o Audit Risk (AR)= Inherent Risk (IR) * Control Risk (CR)* Detection Risk
(DR)

Whereas:-

Inherent Risk: - the risk of errors or misstatements due to the nature

of the CO and its transactions. The assessment of IR depends on the following factors:-

 the professional judgment of the auditor (past history including identified

differences)

 the circumstances of the entity's business environment

 management's overall risk awareness

 complexity of determining the account amount (an estimate or FS disclosure)

Control Risk: - the risk of errors or misstatements because the CO's

internal controls are not strong enough to prevent, detect and correct them.

 CR increases due to lack of procedures implemented by client (cost for value

analysis?)

Detection Risk: - the risk that auditor's procedures don't pick up

material misstatements. DR includes two risks:-

 Sampling Risk: ISA 530 Para 7 " arises from the possibility that the auditor's
conclusion, based on a sample may be different from the conclusion reached if the
entire population were subjected to the same audit procedure

 Non-sampling Risk: the auditor arrives at incorrect audit conclusion due to

factors not related to the size of the sample (e.g. misleading by client's staff or failure
to investigate particular balance or transaction)

7. Assessing the risk

A checklist of relevant question can be used to asses the 3

components of Audit Risk (IR, CR & DR)
 Inherent & control risks are a client risks therefore are outside of the
auditor's control. They both relate to entity's nature and its systems and together are
known as Entity Risk

The auditor's response is to adjust detection risk therefore the only

risk that he can change

The later will determine the extent of audit procedures e.g. sample
sizes for audit tests
 Chapter 8

Systems & Controls

1. Definitions of Internal Control:-

In the United States many organizations have adopted the internal control concepts presented
in the report of the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Published in 1992, the COSO report defines internal control as:

A process, effected by an entity's board of directors, management and other personnel, designed to
provide reasonable assurance regarding the achievement of objectives in the following categories:

 effectiveness and efficiency of operations,

 reliability of financial reporting, and
 Compliance with applicable laws and regulations.

ISA 315 describes IC as consisting of five essential components (it is a CRIME not to have good
IC)

1. C Control activities
1.1. Control activities include the policies and procedures maintained by an organization to address risk-
prone areas
1.2. Control activities can be referred to as ACCA MAPS whereas:-
1.2.1. A Approval
1.2.2. C Computer Controls
1.2.3. C Comparison
1.2.4. A Arithmetic controls
1.2.5. M Maintain and review control accounts
1.2.6. A Account reconciliation
1.2.7. P Physical controls
1.2.8. S Segregation of duties
1.3. The above can be recommended to a client's system as control activities provide safeguards to
prevent wrong actions from occurring
2. R Risk assessment
2.1. Risk assessment refers to the identification, analysis, and mgt of uncertainty facing the organization
2.2. Risk assessment focuses on the uncertainties in meeting the organization's financial, compliance, and
operational objectives
2.3. Changes in personnel, new product lines, or rapid expansion could affect an organization's risks
3. I Information and communication
3.1. ISA 315 states "the auditor should obtain an understanding of the information system, including the
related business processes, relevant to financial reporting"
3.2. Auditor should have an understanding to enable him form an opinion on whether FS include material
misstatements in the FS
3.3. Information and communication encompasses the identification, capture, and exchange of financial,
operational, and compliance information in a timely manner
4. M Monitoring
4.1. Monitoring refers to the assessment of the quality of internal control therefore Mgt must monitor
controls to be sure that they are effective
4.2. Manual or IT-based systems?
4.3. Informal monitoring activities might include mgt's checking with subordinates to see if objectives are
being met.
4.4. Formal monitoring activity would be an assessment of internal control system by the organization's
internal auditors
5. E The control environment:
5.1. Defined in ISA 315 as being made up of the right attitude of organization's mgt (e.g. ethical values,
commitment to competence, organizational structure….etc)-
5.2. The control environment provides discipline and structure for the other components (sets the tone for
the organization)
 5.3. Factors of control environment include employees' integrity, organization's commitment to
competence, mgt's philosophy and operating style, and the attention and direction of the board of
directors and its audit committee.
5.4. Computer based controls are divided into:-
5.4.1. Application controls: these are built into the system e.g. arithmetic checks
5.4.2. General controls: these are policies and procedures related to applications e.g. backup
procedures

2. Auditors & Internal Control Systems

Internal Controls produce FS and Auditors give an opinion on the truth & fairness of FS
Auditors need to judge whether systems are reliable (or) not in order to reduce (increase) audit
risk.
To do so auditors need:-
o Understand how the system works
o Understand controls within the system
o Test whether or not the controls are effective
o These procedures are known (collectively) as tests of controls or compliance tests
If the above tests confirmed that systems are being complied with then auditor can assume that
FS are accurate (i.e. not materially misstated). Size of transaction is irrelevant on this case
If the auditor is trying to confirm accuracy of balances on FS then the above won't be sufficient
and audit procedures need to be extended to get the required assurance
The later tests are known as substantive procedures.
Ref to ISA 315 "The auditor should obtain an understanding of the information systems,
including the related business processes, relevant to financial reporting"

3. Establishing the System

Sources of Info:-
o Previous knowledge/ experience
o Client's staff
o Client's system manuals
o Walk-through tests (where transactions are traced through the system to confirm our
understanding)
Documenting the system (large, complex, small, simple….etc):-
o Narrative notes
o Flowcharts
o Organizational charts
o Internal Control Questionnaire ICQ (client's staff questioned and systems documentation
reviewed to establish which controls exist))
o Internal Control Evaluation Questionnaire ICE (client's staff asked about existing controls
which achieve specific objectives therefore evaluating whether IC objectives are met or not)

4. The limitations of internal control

Human errors (judgments)

Collusion of staff
Abuse of responsibility to override rules and procedures

5. ISA 315 defines "Performance review" as the process in practicing firms to monitor performance on audits
and other assignments
6. Auditor reliance on ICS
6.1. Auditor needs to assess if he is relying on ICS
6.2. If yes, effectiveness of ICS to be examined
6.3. If auditor's exercise revealed that ICS are operating as expected then:
6.3.1. we may rely on them BUT it is advisable not to rely on them, and
6.3.2. to get assurance/ confirmation from other sources through testing the controls to see if they
are indeed operating effectively
 6.4. If tests of controls concluded that ICSs are not effective, then:
6.4.1. we need to assess whether risk of misstatement is at an acceptable level (immaterial)
6.4.2. May need to change the original audit plan. This can be achieved through:-
6.4.2.1. Alternative sources (external confirmation, analytical procedures, mgt representations)
6.4.2.1.1. Carry out substantive procedures by increasing extent of testing (i.e. looking at
a very high proportion of transactions for direct verification rather than relying on
the operation of controls)
6.4.2.1.2. ISA 330 states "Extent includes the quantity o f a specific audit procedure to be
performed, for example, a sample risk or the number of observations of a control
activity. The extent of an audit procedure is determined by the judgment of the
auditor after considering the materiality, the assessed risk , and the degree of
assurance of the auditor plans to obtain….."
7. The "nitty- gritty" of controls
7.1. Each accounting system should have:-
7.1.1. Control objectives: objectives that ICS is seeking to achieve
7.1.2. Control Procedures: procedures in place to ensure that controls are achieved
7.2. Auditor carries out tests of control: to generate evidence on the operation of controls
7.3. Sales cycle:-
7.3.1. Orders Dispatch goods Record sales Receive payment Record cash
7.3.2. For detailed control objectives & procedures please refer to text book pages 235-239
7.3.3. Test your understanding 1 page 239-240
7.4. Purchases System:-
7.4.1. Orders Receiving goods Receiving the invoice Payment
7.4.2. Please refer to detailed control objectives on your text book pages 240-244
7.4.3. Test your understanding 2 page 244-245
7.5. Wages & Salaries System:-
7.5.1. New Employees Wages/ Salries & deductions Leaves
7.5.2. Please refer to detailed control objectives on your text book pages 245-249
7.5.3. Test your understanding 3 page 249-250
7.6. Inventory:-
7.6.1. Inventory levels Raw materials Finished Goods Returned
Goods Inventory count
7.6.2. Please refer to detailed control objectives on your text book pages 251-254
7.7. Capital & Revenue expenditure:-
7.7.1. Expenditures for subtantial amounts therefore to be budgeted and approved by very senior mgt
7.7.2. Record details on assets register (supplier, price, location, responsible employee…etc)
7.7.3. Regular assets check/count against register
7.7.4. Ownership documents safely stored (registration or title deed documents)
7.7.5. Sale price based on fair value (check similar items or price guides)
7.7.6. Variance analysis for regular revenue expense items
7.8. Bank and Cash:-
7.8.1. Possible control procedures include:-
7.8.1.1. Cash balances are safeguarded
7.8.1.2. Minimum cash balances kept
7.8.1.3. Withdraw money from banak accounts for authorised purposes
7.8.2. Control tests over:-
7.8.2.1. Cash receipts
7.8.2.2. Cash payments
7.8.2.3. Bank reconciliations
7.8.2.4. Petty cash
8. Reporting to those charged with governance
8.1. Material weaknesses on internal controls to be reported in writing to audit committee (if any) or mgt
as agreed with auditors
8.2. This has traditionally been known as management letter or report to mgt and usually sent at end of
the audit process
8.3. It is not a comprehensive report but addresses weaknesses highlighted during the audit
8.4. The formal structure consists of:-
8.4.1. a covering letter
8.4.2. an appendix of:-
8.4.2.1. observed weaknesses,
8.4.2.2. possible risks/ consequences
8.4.2.3. & recommendation to improve current practice (who should carry control procedures
and when)